Full Report
A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location. [...]
Analysis Summary
# Tool/Technique: Malicious NPM Package using Unicode Steganography
## Overview
This describes a technique where malicious code is hidden within an NPM package using Unicode steganography, specifically by embedding data in seemingly benign strings (like a vertical bar '|') followed by many invisible characters from the Variation Selectors Supplement range (U+E0100 to U+E01EF). This method allows the attackers to evade detection while establishing a sophisticated Command and Control (C2) mechanism to download the final malware payload.
## Technical Details
- Type: Malware Delivery Mechanism / Technique
- Platform: JavaScript/Node.js environment (specifically targeting NPM package consumers)
- Capabilities: Evasion using Unicode steganography, multi-stage C2 communication, persistence mechanism.
- First Seen: Based on the context of the report, it is a recent finding by Veracode.
## MITRE ATT&CK Mapping
- T1560 - Archive Collected Data
- T1560.001 - Archive via Library
- *Note: While the primary focus is evasion, the method of hiding data acts as a form of data encoding/staging.*
- T1027 - Obfuscated Files or Information
- T1027.006 - Steganography
- *Note: The core technique relies on hiding C2 instructions within invisible Unicode characters.*
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication via HTTP requests to Google Calendar link)
## Functionality
### Core Capabilities
- **Evading Detection:** Utilizing invisible Unicode characters (Variation Selectors Supplement range) to hide malicious data within otherwise innocent-looking textual data inside the package, specifically following a '|' character.
- **C2 Chain Initiation:** Using a Google Calendar short link as an initial C2 beacon.
- **Payload Retrieval:** Checking HTTP redirects until a 200 OK response is received, then scraping the `_data-base-title_` attribute from the resulting HTML page, which contains a base64-encoded URL pointing to the final payload.
- **Payload Decoding:** Using a custom function (`_ymmogvj_`) to decode the retrieved URL.
### Advanced Features
- **Multi-Stage Payload:** Expecting a base64-encoded Stage-2 malware payload in the response body.
- **Encryption Indication:** The expected receipt of an initialization vector and a secret key in HTTP headers suggests the final payload is likely encrypted.
- **Execution:** The retrieved code is executed using `eval()`.
- **Simple Persistence:** Establishing a simple persistence mechanism in the system's temporary directory that prevents running multiple instances simultaneously.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context, but the malicious packages mentioned are `vue-dummyy` and `vue-bit-all`]
- Registry Keys: [Not specified in context]
- Network Indicators:
- Initial C2 communication relies on a defanged Google Calendar short link structure.
- Subsequent C2 traffic relies on domain hosting the final payload.
- Behavioral Indicators:
- Execution of code via `eval()`.
- Accessing and scraping HTML attributes (`_data-base-title_`) from HTTP responses.
- Creation of files in the system's temporary directory for persistence.
## Associated Threat Actors
- [Not explicitly named in the context provided, only noted as a "threat actor."]
## Detection Methods
- Signature-based detection: Not effective against the steganography or obfuscation methods used.
- Behavioral detection: Monitoring for executions using `eval()`, unusual file creation in temporary directories, and the specific pattern of fetching links via redirected HTTP requests to stages payloads.
- YARA rules: Likely require rules targeting the specific pattern of Unicode characters used for steganography or the unique function name `_ymmogvj_`.
## Mitigation Strategies
- Prevention measures: Strict dependency resolution checks; using software composition analysis (SCA) tools configured to detect steganography or highly obfuscated payloads within package source code.
- Hardening recommendations: Reviewing package installation processes; utilizing vetted, internal package registries where possible to limit exposure to public repositories. Code review for packages with unusual dependencies or unexpected behaviors upon installation/execution.
## Related Tools/Techniques
- Other NPM/Dependency Confusion attacks (e.g., dependency confusion, typo-squatting).
- General techniques involving Unicode obfuscation and steganography in source code.