A new type of cyberattack has been discovered that uses ordinary images to hide a dangerous virus. Experts at Veracode Threat Research found a malicious package on NPM, which is a massive website used by millions of software developers to share tools. The package was designed to look like a normal piece of software, but its real goal was to take over a person’s computer.
The package was named buildrunner-dev. This is where the trick lies, as the hackers used a typosquatting technique where they gave it a name that is almost the same as a real, safe tool called buildrunner, hoping someone would make a spelling mistake and download it by accident. This shows that the attack starts the moment the software is installed.
A Very Messy Distraction
Once the package is on a computer, it runs a script that downloads a file called packageloader.bat. For your information, this file is huge and very confusing. It has over 1,600 lines of text, but most of it is just “noise” to hide the virus from security scanners, Veracode researchers explained in the blog post shared exclusively with Hackread.com.
According to researchers, the file is full of random words like “raven,” “glacier,” and “monsoon” that don’t actually do anything. Out of the whole file, only about 21 lines are real commands. Further probing revealed that the malware is also quite smart; it checks to see if you have antivirus programs like ESET, Malwarebytes, or F-Secure.
If it finds them, it uses different tricks to sneak past them without setting off any alarms. It first copies itself to a hidden folder as protect.bat so it can stay on the computer. It then checks if it has “Admin” rights. If it doesn’t, it uses a Windows tool called fodhelper.exe to bypass security warnings, so the user never sees a pop-up asking for permission.
Hiding Inside an Image
The most interesting part of this attack is how it hides the actual virus inside an image. This is called steganography. The malware downloads a PNG image from a free hosting site, which, to a normal person, just looks like fuzzy, grainy “noise.” However, the malware is programmed to read the tiny bits of colour data, known as RGB pixel values, to find hidden code.
Also, researchers found that the malware uses a trick called process hollowing, where it replaces the “insides” of a safe program with malicious code to look like a normal process. It then installs a final malware called Pulsar RAT.
Pulsar is a Remote Access Trojan that gives hackers full control of the computer. The hackers used strange names like CheaperMyanmarCaribbean.exe to keep the virus hidden in the computer’s memory. While this was found in a tool for tech experts on NPM, it shows that even a simple image file can be used to hide a major threat.
