Threat Analysis: Malicious npm package mimics Material Tailwind CSS tool

ReversingLabs discovered a malicious npm package masquerading as the software tool Material Tailwind. Here, we take a closer look at our findings and threat analysis.

Note: This analysis was updated on Friday, September 23rd with new information regarding additional MachO executables.

Researchers at ReversingLabs have highlighted the increasing risk from open source software repositories and discovered new techniques threat actors are using to spread malicious code in open source repositories. This is a malicious NPM package masquerading as Material Tailwind, described by the company as an “easy way out” on his website. To use Tailwind CSS and Material Design’s component library

Both of these components are recognizable names and are extremely popular libraries among developers, earning millions of downloads each. Although it serves as an open-source CSS framework that does not provide a , Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects.

In contrast, the malicious Material Tailwind npm package masquerades as a useful development tool, but with an automatic post-installation script, and a malicious executable (a custom-packed Windows executable that can run PowerShell scripts). ), which is a password-protected zip file. .

The ReversingLabs research team specifically looked for packages containing obfuscated code and discovered them using our Titanium platform, which tracks software behavior. Below is a detailed overview of how we found this package, how the team deobfuscated the malicious code to understand the attacker’s techniques, and indicators of compromise (IOCs). has been compromised.

Obfuscated code: red flags for npm packages

Similar to previous findings, Material Tailwind caught the attention of Titanium Platform behavioral indicators because it contained code obfuscated with the JavaScript Obfuscator.

However, unlike previous research cases, the actors responsible for Material Tailwind did a very good job of making their package descriptions as convincing as possible. However, upon closer inspection, I discovered that the package description was actually copied from another of his npm packages named tailwindcss-stimulus-components. The threat actor took great care to change the entire text and code snippets to replace the name of the original package with his Material Tailwind. Also, the malicious package successfully implements all the functionality provided by the original package.

post install prank

But behavioral metrics don’t lie. One of the JavaScript files included in the package contains obfuscated code. You may also see this tailwindcss-stimulus-scripts.min.cjs file declared as a postinstall script in your package.json file. Packages delivered via npm allow developers to declare different kinds of scripts within their package.json file, which will be executed at some point in the package’s lifecycle.

Post-installation scripts run immediately after package installation. This is why it is a very common mechanism among attackers to achieve code execution. From a threat researcher’s perspective: an obfuscated script set to run right after installation is a (big) red flag.

In the case of Material Tailwind, the obfuscated script was deciphered and its contents analyzed in detail.

Figure 1: Importing NPM modules

Looking at the deobfuscated script contents, the list of imported modules already looks suspicious. Contains modules for file system manipulation, encryption, network communication, archive decompression, and process manipulation.

The module first sends a POST request with platform information to a specific IP address to verify that it is running on a Win32 system. Then create a download link that includes the operating system type. It also adds parameters that may be used to verify that the download request is from the victim’s machine. This parameter is generated by performing her bcrypt hash of her IP address of the victim and removing the first 7 bytes from the hash value.

Figure 2: Code responsible for stage 2 download

The downloaded file is a password-protected zip archive named DiagnosticsLogger.zip that contains only one file and is named DiagnosticsHub.exe. The name of the executable depends on the package version. In the current ZIP archive version, the password to encrypt the contents is “J##$dj&%qvvV89”. Since the archive contains only one file, password protection may have been used to circumvent basic antivirus checks.

The filenames chosen suggest that the attackers are trying to disguise the payload as some kind of diagnostic tool. Finally, the script spawns a child process that runs the downloaded file using the cmd /c command.

Windows executable

Downloaded Windows executables implement several protections that prevent analysis. Packed with a custom runtime packer. The assembly unpack routine uses xmm registers. Usually used for high-precision calculations, it has been abused here to evade security solutions. Malicious code also executes long sleep delays when executing. This is another attempt to evade detection. When running, Windows executables attempt to contact trusted domains such as google.com to verify that they have internet access and to detect if they are running in a sandbox environment.

Figure 3: Base64 decrypted powershell command to create a scheduled task

The packed information includes several Powershell code snippets responsible for command and control, communication, and process manipulation. Persistence is achieved by executing base64-encoded Powershell commands. This command sets a scheduled task to run daily.

In Stage 2, the malware retrieves XOR-encrypted and base64-encoded files from Google Drive public links. If you can’t access this link, here are his two alternative download locations: Github and OneDrive. The XOR key used for decryption is the hardcoded string “AJUHKJHOIU351q23AJKI8i7y”.

Figure 4: Google Drive file decryption routine

At the time of publication, the encrypted file contains a single IP address. This is the location of the command and control (C2) server where malware receives encrypted instructions using a dedicated socket connection. During dynamic analysis of the malware, the C2 server responded with a command stating that the victim’s machine status was not initialized. This will create “C:\Program Files” and “C:\Program Files (x86)” folders. The output is stored in the ‘C:\ProgramData\DiagnosticsLog\Diagnost.log’ file and may be later uploaded to the C2 server.

Figure 5: Powershell Directory List Command

MachO Executable (Updated 23 Sep 2022)

The malicious package was first reported to the NPM security team on Monday, September 20th. The NPM security team responded very quickly and he removed the affected packages within 24 hours. Unfortunately they removed it from the NPM package repository, but didn’t replace it with a security holder version as usual. This gave the attacker the opportunity to publish a new version with the same package name on his Thursday, September 22nd. Three new versions were released and they included modified versions of the postinstall scripts.

Figure 6: Updated code responsible for stage 2 download

The new version added code that triggers if the package is installed on the Darwin operating system. In that case, instead of a password-protected zip file, another archive containing two MachO files compiled for ARM and x86-64 architectures is downloaded and executed on the compromised machine.

MachO executables are much simpler than the Windows executables described. Critical strings are created by concatenating ASCII characters on the fly. Persistence is obtained by creating LaunchAgents, a technique typical of macOS malware.The filename indicates that the malware is trying to imitate a legitimate file Core Simulator Frameworks related to the Xcode developer toolset used to develop macOS applications. Instructions are fetched from the C2 server. curl request and the output of curl is redirected to death command to run.

The cross-platform support and the fact that a new version of the package was released shortly after the initial one was removed indicates that there is a sophisticated actor behind this malware.

Spoofing packages on the rise

This Material Tailwind attack is just the latest example of a rising trend. A malicious npm package that pretends to be a legitimate package and tries to trick developers. For example, the IconBurst campaign, first discovered and published in early July, named malicious NPM packages frequently used legitimate packages and used code obfuscation to hide malicious content. I noticed that

Software supply chain attacks of this kind are now being discovered on an almost daily basis. In most of these cases, the malware in question is very simple Javascript code, with very little obfuscation. Sophisticated multi-stage malware samples like Material Tailwind are still rare.

In this case, the complexity of the malware tactics leads us to conclude that a sophisticated attacker may be behind this attack. So far, our analysis of the situation has shown that the Stage 2 payload of Material Tailwind can be classified as a fully functional Trojan malware. Many techniques are used to complicate reverse engineering. Additionally, IP redirection using files hosted on legitimate services such as Google Drive is performed before communicating with the actual C2 server.

Given the sophisticated nature of this malicious package and the fact that it mimics a widely used software development library, we believe that attackers are encouraged to continue leveraging open source repositories. There is no mistake. And as evasion techniques become more sophisticated over time, software development shops are using products like ReversingLabs Titanium Platform to detect malicious activity and prevent new third-party dependencies from being included in their applications. Careful monitoring of application behavior is essential. software.

The ReversingLabs threat research team believes npm removed the version of the package after the team reported it, but it’s also possible that npm failed to lock users from uploading again with the same username. The threat research team notified npm about this and enabled an override for the package in question.

Future updates will be shared in this blog post.

Indicators of Compromise (IoC)

IP address:

85.239.54.17
135.125.137.220
46.249.58.140:13338

Package version:

ZIP file:

81977085079d5629cd9a932055273ed38a7ce87b
e21f62e59bdb08e612065569f169cd5967987d88

Stage 2 PE payload:

748a67a4276a7547f2413c14b7de7f76342038ef

09ecdcc7abd426204ba8d494ce1a6431a5d0d6b9

MachO Stage 2 Archive:

9915c952ce178eaac65912d4f94cc966840e59eb

MachO Stage 2 payload:

d6958efce576ac790d3a053988060ff3da92b5e5

3f13b5fcde0a0451221f2d96322857e99d490406

Stage 2 IP Redirect Provider:

time[XX]ps://onedrive.live.com/download?cid=8F081466BABC9F13&resid=8F081466BABC9F13%21109&authkey=AOGgyB9v2wrFkJM

time[XX]ps://drive.google.com/uc?export=download&id=1eaFJYy0cLLONFaMDKMUmcU6Js0jG5p8r

time[XX]ps://raw.githubusercontent.com/jfrank4512/Mdam/main/test.txt

keep learning

*** This is a Security Bloggers Network syndicated blog from the ReversingLabs blog created by Karlo Zanki. Read the original post: https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimics-material-tailwind-css-tool