BleepingComputer reports that three malicious NPM packages mimicking NodeJS libraries, which have accumulated more than 1,200 downloads during the past two months, have been distributing the TurkoRAT information-stealing malware.
ReversingLabs researchers discovered that one of the packages dubbed "nodejs-encrypt-agent" had the "lib.exe" executable file similar to the legitimate NodeJS application but executes the TurkoRAT malware, a customizable stealer that could compromise login credentials and crypto wallets, as well as evade debuggers and sandbox environments. TurkoRAT was also deployed by the "nodejs-cookie-proxy agent" which had "axios-proxy" as a dependency that had the executable in an effort to better evade detection.
"This time, attackers disguised it as a dependency, axios-proxy, that was imported into every file found inside nodejs-cookie-proxy-agent versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2," said researchers, who added that despite the removal of the packages following their detection, their prolonged stay on NPM signifies the elevated risk of open source packages to the software supply chain.
Blind Eagle's attacks commence with the distribution of Colombia tax authority-spoofing phishing emails luring recipients into clicking embedded links redirecting to a Google Drive folder-hosted ZIP archive that facilitates BlotchyQuasar execution.
Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads.