TurkoRat Capable of Credential Harvesting, Contains Features Such as Wallet Grabber
Researchers have identified two legitimate-looking malicious npm packages that concealed an open-source info stealer for two months before being detected and removed.
ReversingLabs researchers found the open-source info stealer TurkoRat hiding inside two packages named
nodejs-cookie-proxy-agent that were collectively downloaded about 1,200 times in the past two months.
TurkoRat is capable of harvesting credentials and website cookies and contains features such as a wallet grabber, which is used for stealing cryptocurrency and its data.
During investigating available packages on public repositories, ReversingLabs researchers identified a number of combinations of malicious behaviors.
They saw open-source packages containing hard-coded IP addresses in their code and executing commands and writing data to files. Usually, such activity turns out to be malicious, the researchers said.
“It is true: None of those capabilities, individually, are malicious. When seen in combination, however, they’re usually supporting malicious functionality. The presence of such suspicious characteristics and behaviors that first caused the npm package
nodejs-encrypt-agent to come to our attention,” they said.
The malicious package called
nodejs-encrypt-agent was found masquerading as another legitimate npm module
agent-base, which has over 30 million downloads. Threat actors also added a link to the GitHub page of
agent-base to make it look more authentic.
Threat actors were found mimicking an older version of
agent-base that was published two months prior to the discovery of the malicious package.
This older version 6.0.2 of the
agent-base model that the malicious actors were mimicking had been downloaded over 20 million times.
“High version numbers are popular among malware authors hoping to infiltrate open-source repositories via typosquatting and other supply chain attacks, where hurried developers are often quick to grab the latest edition of a package, as designated by the version number,” the researchers said.
While analyzing the
nodejs-encrypt-agent, researchers found that the code and functionality mirrored the
“There was, however, a small, but very significant difference: the
nodejs-encrypt-agent package contained a portable executable file that, when analyzed by ReversingLabs was found to be malicious,” they said.
This PE file gets executed when the package is run and leverages malicious commands hidden in the first few lines of the
Some of the key malicious behaviors identified include its ability to write to and delete from Windows system directories, execute commands, and tamper with DNS settings, among others.
“The list of malicious or suspicious behaviors observed was long, with features designed to steal sensitive information from infected systems including user login credentials and crypto wallets as well as fool or defeat sandbox environments and debuggers that are used to analyze malicious files,” the researchers said.
TurkoRat can be customized in the build to alter the configuration and capabilities of the finished PE. It can be distributed in various ways, including by hiding it in a legitimate software package, as it was hidden inside the
nodejs-encrypt-agent was not the only package to carry TurkoRat, but researchers uncovered the npm package
nodejs-cookie-proxy-agent, which disguised “it as a dependency,
axios-proxy, that was imported into every file found inside
nodejs-cookie-proxy-agent versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2.”
Researchers found the code in the
nodejs-encrypt-agent and the
node-cookie-proxy-agent, which is not as popular as
agent-base but continuously downloaded throughout last year.
“With the legitimate and malign packages only differing by two letters, this is a clear example of typosquatting, making it very possible that a developer would mistakenly download and use the malicious
nodejs-cookie-proxy-agent in place of the legitimate
node-cookie-proxy-agent,” the researchers said.