Hackers hijacked the favored UA-Parser-JS NPM library, with tens of millions of downloads per week, to contaminate Linux and Home windows units with cryptominers and password-stealing trojans in a supply-chain assault.
The UA-Parser-JS library is used to parse a browser’s consumer agent to establish a customer’s browser, engine, OS, CPU, and Machine kind/mannequin.
The library is immensely common, with tens of millions of downloads per week and over 24 million downloads this month to this point. As well as, the library is utilized in over a thousand different tasks, together with these by Fb, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and many more well-known companies.
UA-Parser-JS venture hijacked to put in malware
On October twenty second, a risk actor printed malicious variations of the UA-Parser-JS NPM library to put in cryptominers and password-stealing trojans on Linux and Home windows units.
In line with the developer, his NPM account was hijacked and used to deploy the three malicious variations of the library.
“I seen one thing uncommon when my e-mail was all of the sudden flooded by spams from lots of of internet sites (possibly so I do not understand one thing was up, fortunately the impact is sort of the opposite),” defined Faisal Salman, the developer of UA-Parser-JS, in a bug report.
“I imagine somebody was hijacking my npm account and printed some compromised packages (
1.0.0) which is able to most likely set up malware as may be seen from the diff right here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0.”
The affected variations and their patched counterparts are:
|Malicious model||Mounted model|
From copies of the malicious NPMs shared with BleepingComputer by Sonatype, we will higher perceive the assault.
When the compromised packages are put in on a consumer’s gadget, a preinstall.js script will test the kind of working system used on the gadget and both launch a Linux shell script or a Home windows batch file.
If the package deal is on a Linux gadget, a preinstall.sh script shall be executed to test if the consumer is positioned in Russia, Ukraine, Belarus, and Kazakhstan. If the gadget shouldn’t be positioned in these nations, the script will obtain the jsextension [VirusTotal] program from 159[.]148[.]186[.]228 and execute it.
The jsextension program is an XMRig Monero miner, which is able to use solely 50% of the gadget’s CPU to keep away from being simply detected.
For Home windows units, the batch file may even obtain the XMRig Monero cryptominer and put it aside as jsextension.exe [VirusTotal] and execute it. As well as, the batch file will obtain an sdd.dll file [VirusTotal] from citationsherbe[.]at and save it as create.dll.
The downloaded DLL is a password-stealing trojan (presumably DanaBot) that may try to steal the passwords saved on the gadget.
When the DLL is loaded utilizing the
regsvr32.exe -s create.dll command, it can try to steal passwords for all kinds of packages, together with FTP purchasers, VNC, messaging software program, e-mail purchasers, and browsers.
An inventory of focused packages may be discovered within the desk beneath.
|Display screen Saver 9x||Apple Safari||NetDrive|
|PC Distant Management||Distant Desktop Connection||Becky|
|ASP.NET Account||Cisco VPN Consumer||The Bat!|
|CamFrog||FAR Supervisor FTP||Gmail Notifier|
|Win9x NetCache||Home windows/Whole Commander||Mail.Ru Agent|
|“&RQ, R&Q”||CuteFTP||Group Mail Free|
|IM2/Messenger 2||BulletProof FTP Consumer||POP Peeper|
|Google Discuss||SmartFTP||Mail Commander|
|Faim||TurboFTP||Home windows Stay Mail|
|MSN Messenger||CoffeeCup FTP||SeaMonkey|
|Home windows Stay Messenger||Core FTP||Flock|
|Paltalk||FTP Explorer||Obtain Grasp|
|Excite Personal Messenger||Frigate3 FTP||Web Obtain Accelerator|
|PartyPoker||SoftX FTP Consumer||WebCred|
|CakePoker||Listing Opus||Home windows Credentials|
|UBPoker||FTP Uploader||MuxaSoft Dialer|
|EType Dialer||FreeFTP/DirectFTP||FlexibleSoft Dialer|
|RAS Passwords||LeapFTP||Dialer Queen|
|Chrome||32bit FTP||Superior Dialer|
|Opera||WebDrive||Home windows RAS|
Along with stealing passwords from the above packages, the DLL will execute a PowerShell script to steal passwords from the Home windows credential supervisor, as proven beneath.
This assault seems to have been performed by the identical risk actor behind different malicious NPM libraries found this week.
Researchers from open-source safety agency Sonatype discovered three malicious NPM libraries used to deploy cryptominers on Linux and Home windows units in an virtually similar method.
What ought to UA-Parser-JS customers do?
As a result of widespread influence of this supply-chain assault, it’s strongly suggested that each one customers of the UA-Parser-JS library test their tasks for malicious software program.
This consists of checking for the existence of both jsextension.exe (Home windows) or jsextension (Linux) and deleting them if they’re discovered.
For Home windows customers, it’s best to scan your gadget for a create.dll file and delete it instantly.
Whereas solely Home windows was contaminated with a password-stealing Trojan, it’s sensible for Linux customers to additionally assume their gadget was absolutely compromised.
On account of this, all contaminated Linux and Home windows customers must also change their passwords, keys, and refresh tokens, as they had been probably compromised and despatched to the risk actor.
Whereas altering your passwords and entry tokens will probably be an enormous enterprise, by not doing so, the risk actor can compromise different accounts, together with any tasks you develop for additional supply-chain assaults.