Linux and Mac Malware found hiding in NPM Package

While headlines regarding Iran’s nuclear program and possible Israeli malware been used to cause failures at nuclear plants is this week's big cybersecurity news, other developments deserve attention. One such development is the discovery of a new piece of malware that targets Node.JS developers using Mac and Linux machines. The malware was found in a malicious package on the NPM registry, used by developers to supplement their code with existing tools to make their life easier.

The malware was found in a package labeled “web-browserify,” which is intended to imitate the popular Browserify package that has been downloaded over 160 million times. It can be assumed that the attacker by naming their malicious package “web-browserify” is hoping to trick developers into downloading the malicious package. The malware is built by combining hundreds of legitimate open-source components and performs extensive reconnaissance activities on an infected system. As of April 13, 2021, the malware was being detected by none of the malware engines tracked on Virus Total. Writing for Bleeping Computer, Ax Sharma, who works for Sonatype security, along with a team of researchers, discovered the malware.

Fortunately, the malicious package was pulled two days after it was published and was only downloaded 50 times. The package was published by a malware author going by the pseudonym “Steve Jobs”.

Linux and Mac Malware found hiding in NPM Package

The package consists of a manifest file, package.json, a postinstall.js script, and an ELF executable called “run” present in a compressed archive, run.tar.xz within the npm component. Summarising the malware’s infection chain, Sharma notes,

“As soon as "web-browserify" is installed by a developer, the scripts extract and launch the "run" Linux binary from the archive, which requests elevated or root permissions from the user. The extracted run binary is approximately 120 MB in size and has hundreds of legitimate open-source npm components bundled within it, that are being abused for malicious activities. For example, one such component is the cross-platform "sudo-prompt" module that is used by run to prompt the user for granting the malware root privileges on both macOS and Linux distributions. Because elevated privileges would be requested almost at the same time "web-browserify" was being installed, the developer may be misled into believing that it is the legitimate installer activities requiring elevated permissions.”

The malware remains persistent on Linux systems by copying itself to /etc/rot1 from where it subsequently runs on every boot. To exfiltrate stolen data, the malware will send the information over a plaintext connection, using GET parameters. The information is sent to http://me.ejemplo[.]me, which is currently returning a 404 not found error. To access and steal the information the malware uses a legitimate NPM package called “systeminformation” which is capable of accessing the following:

  • System username
  • operating system information, such as manufacturer/brand
  • Information on Docker images
  • Bluetooth-connected devices
  • Virtual Machines present on the system or if virtualization is enabled
  • CPU speed, model, and cores
  • RAM size, hard drive capacity, disk layout, system architecture
  • Hardware information regarding network cards/interfaces, battery, WiFi, USB devices, etc.

The malware's use of legitimate components to evade detection by anti-malware engines should be seen as a warning as to how the attacker will use future iterations of the malware.

ELM Malware

Mac and Linux malware is nothing new. Recently this publication investigated a new Mac malware which targeted developers via the Xcode projects integrated developer environment. Often malware that targets Mac, and in particular Linux machines will abuse the ELF format. ELF stands for Executable and Linkable Format and is commonly used for executable files, object code, shared libraries, and core dumps on Unix and Unix-like systems. ELF malware development is favored by specific malware authors due to the historically low detection rates of Linux malware by security packages and network admins.

While the Linux threat landscape is dominated by DDoS attacks and crypto miners, the landscape is steadily becoming more complex and diverse to include ransomware and malware used by nation-state threat actors. Many of which are capable of abusing the ELF format to execute malicious code. In many of these instances, the attacker is not reliant on the victim accidentally installing the malware but can leverage servers and Internet of Things devices to do the heavy lifting and install the malware. However, as is seen above users can still download software or code, they believe is safe but contains malicious code.

Another avenue for attackers to exploit is via trusted third-party service providers. Attackers can leverage entry to third-party organizations that have direct access to the victim’s systems. These organizations may have limited access to the victim’s infrastructure in which they maintain but can exist in the same network. For example, an attacker can breach an IT services contractor to then target its clients after gaining valid credentials to these organizations.

Detecting and analyzing ELF abuse by malware poses several challenges. An Intezer article discussing the matter found that,

“The internet is full of information about PE [portable executable file format used by 32 and 64 bit Windows operating system versions] file analysis and there are also various easy-to-use tools and tutorials. However, when searching for information about ELF analysis, one can easily get lost. The shortage of relevant and unified information about analysis methodology, verdict determination, and malware evasion techniques, together with the lack of up-to-date open source tools can be frustrating…We can list at least six publicly available sandboxes which support Windows PE files. However, currently there is no online sandbox solution available for executing ELF. The few Linux sandboxes out there—Limon, detux, and LiSa—require creating a sandbox instance and aren’t actively maintained. In this series we will present you with relevant ELF analysis tools for performing both static and dynamic analysis.”

NPM Malware

The above newly discovered malware distributed by a malicious NPM package is not the first to make InfoSec headlines this month. At the start of March, it became apparent that attackers were using dependency confusion attacks to steal Linux password files and open reverse shells back to the attackers. To do this, attackers are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a flaw discovered by Alex Birsan. Bleeping Computer notes that the flaw works as follows,

“This flaw works by attackers creating packages utilizing the same names as a company's internal repositories or components. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application.”

Since the flaws discovery and the release of proof-of-concept code, attackers have been seen targeting the above-mentioned applications related to some of tech’s biggest names to steal passwords. The malicious packages are named “amzn”, “zg-rentals”, “lyft-dataset-sdk”, “serverless-slack-app”. Researchers discovered that the malicious packages would use Birzan’s proof-of-concept code as a template then add malicious code to suit specific needs.

To combat the abuse of NPM packages, Microsoft published a whitepaper that provides three methods to mitigate the risk. The mitigations strategies are intended for developers and contain several technical details which would exclude this publication from going into too much detail but the whitepaper should be treated as required reading for developers reliant on NPM packages.

The abuse of both NPM packages is expected to continue due to the open and public nature of repositories and the ease of creating dependency confusion attacks, we should expect to see this type of attack continue until application developers secure their configuration files. As with the abuse of the ELF format for Linux attacks, the abuse of NPM packages should be regarded as serious.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal