ReversingLabs has published an advisory to share details of a malicious package discovered in the PyPI (Python Package Index) while performing a routine inspection of open-source repositories.
Researchers Lucija Valentic and Karlo Zanki noted that the malicious package, dubbed Aabquerys, was discovered in the open-source JavaScript NPM repository and can download second and third-stage malware payloads onto infected systems.
Typosquatting – A Growing Threat
Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. The malicious package contained two files, one of which was obfuscated through a JavaScript obfuscator.
Since you are here, remember “it’s Google.com, not ɢoogle.com.”
“In the case of aabquerys, the obfuscated code in question was easily de-obfuscated. That revealed a file with clearly malicious behaviour,” the advisory/blog post read.
Valentic and Zanki assert that it is a critical issue since open-source codes are viewable by everyone, so it is essential to investigate the attempt to disguise or hide such functionality on an open-source module.
Aabquerys Package Analysis
Aabquerys could download second and third-stage malware payloads onto infected devices from a remote server. It also contains an Avast proxy binary (wscproxy.exe) vulnerable to DLL sideloading attacks.
The third stage payload is identified as Demon.bin, which boasts conventional RAT functionalities generated using a post-exploitation, open-source C2 framework called Havoc, authored by C5pider.
A concerning issue is that the author of Aabquerys has published various versions of Aabquerys, namely aabquery and nvm jquery, which could be earlier versions of Aabquerys.
After its discovery, the Aabquerys package was promptly removed from the NPM repository. Nevertheless, the findings highlight the growing threat of malicious packages hidden in open-source repositories like PyPI, GitHub, and NPM that can have lasting adverse consequences for the software supply chain.
RELATED NEWS
- Typosquatting: 700 libraries in Ruby repository trojanized
- Typosquatting: Malicious packages swap out crypto addresses
- Typosquatting: Official Python repositories plagued with malware