Full Report
Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems. The package, named @0xengine/xmlrpc, was originally published on October 2, 2023 as a JavaScript-based XML-RPC
Analysis Summary
# Tool/Technique: @0xengine/xmlrpc (Malicious NPM Package)
## Overview
A JavaScript-based XML-RPC server and client for Node.js that was compromised/abused to conduct a year-long sophisticated software supply chain attack involving data theft and cryptocurrency mining on infected systems.
## Technical Details
- Type: Malware Family (Malicious NPM Package)
- Platform: Node.js (Implied, targeting Linux/Unix systems due to systemd usage)
- Capabilities: Data exfiltration (SSH keys, bash history, metadata), Cryptocurrency mining (XMRig deployment), Persistence mechanism setup, Anti-analysis/Anti-mining features.
- First Seen: October 2, 2023 (Initial benign publication) / October 3, 2023 (Version 1.3.4 introduced malicious code)
## MITRE ATT&CK Mapping
The observed behaviors map to several ATT&CK techniques:
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1083 - File and Directory Discovery
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Using Dropbox/file.io)
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Systemd Service
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Use of HTTP/S for exfiltration)
- **TA0004 - Privilege Escalation** (Implied by running systemd services)
## Functionality
### Core Capabilities
- **Data Harvesting:** Collects sensitive system information every 12 hours, including SSH keys, bash history, system metadata, and environment variables.
- **Exfiltration:** Sends harvested data to remote services such as Dropbox and file.io.
- **Cryptocurrency Mining:** Deploys the XMRig cryptocurrency miner to generate profit for the attacker upon infection.
### Advanced Features
- **Persistence:** Establishes persistence on the host system using `systemd`.
- **Anti-Mining/Anti-Analysis:** Monitors running processes for common system/monitoring tools (`top`, `iostat`, `sar`, `glances`, `dstat`, `nmon`, `vmstat`, `ps`) and terminates any mining-related processes if detected, attempting to hide its activity.
- **Activity Detection:** Suspends mining operations if user activity is detected.
## Indicators of Compromise
- File Hashes: [Not available in context]
- File Names: [Not available in context, but operates via package installation mechanism]
- Registry Keys: [Not applicable/Relevant for Linux persistence via systemd]
- Network Indicators: Exfiltration utilizes **Dropbox** and **file.io** (defanged: `dropbox.com`, `file[.]io`).
- Behavioral Indicators: Creation of systemd service files for persistence; periodic network connections to exfiltration endpoints; execution of XMRig process; termination of monitoring processes.
## Associated Threat Actors
- Not explicitly named, but attributed to a long-running software supply chain attack discovered by Checkmarx.
## Detection Methods
- Signature-based detection: Signatures matching the unique payload injected into version 1.3.4+.
- Behavioral detection: Monitoring for periodic execution of scripts that query system/environment variables and send data to external cloud storage/file-sharing services. Detection of XMRig process execution unrelated to legitimate user activity.
- YARA rules: Rules targeting specific strings or code structures within the malicious JS payload.
## Mitigation Strategies
- **Dependency Vetting:** Thoroughly vet all third-party packages, even those with a long history, before inclusion in production environments.
- **Least Privilege:** Run Node.js processes with the least necessary permissions to limit the impact of potential data theft or persistence attempts.
- **Network Monitoring:** Monitor outbound network traffic for connections to known file-sharing services (like Dropbox or file.io) from unexpected application processes.
- **Process Monitoring:** Implement controls to detect the execution of cryptocurrency miners (like XMRig) and unexpected modifications to system service managers (`systemd`).
## Related Tools/Techniques
- **Yawpp:** A GitHub project (`yawpp`) that unknowingly served as a distribution vector by listing `@0xengine/xmlrpc` as a dependency.
- **XMRig:** The cryptocurrency miner deployed by the package.
- **MUT-8694 Campaign:** Related supply chain campaign targeting Windows users via counterfeit npm and PyPI packages that deployed stealer malware (Blank-Grabber and Skuld Stealer).
- **Blank-Grabber / Skuld Stealer:** Stealer malware mentioned in connection with the separate MUT-8694 campaign.