TL, DR
Kooxda Cilmi-baarista Amniga ee Xygeni waxay aqoonsadeen olole casri ah oo npm infostealer ah oo lagu bixiyay laba xirmo oo xaasidnimo ah: consolelofy iyo selfbot-lofy.
Nooca ugu dambeeyay (consolelofy@1.3.0) waxay ku dhejisaa culays lacag-bixineed oo 216KB AES ah oo sir ah kaas oo furfura wakhtiga socodsiinta oo fuliya iyada oo loo marayo vm.runInNewContext()Maadaama caqliga xaasidnimada si buuxda loo qariyay, iskaan-qaadayaasha joogtada ah ee ku tiirsan kormeerka xarigga ma arki karaan dhaqankiisa ilaa waqtiga fulinta.
Marka la furo, culayska la saaray, oo gudaha lagu calaamadeeyay Xatooyo Nyx ah, bartilmaameedyada:
- Calaamadaha xaqiijinta Discord
- 50+ dukaan oo aqoonsi biraawsarka ah
- 90+ kordhin boorsada lacagta digital-ka ah
- Kalfadhiyada Roblox, Instagram, Spotify, Steam, Telegram, iyo TikTok
- Joogteynta macaamiisha desktop-ka ee Discord
Dhammaan 20ka nooc ee labada xirmo ayaa la soo sheegay waxaana la xaqiijiyay inay yihiin kuwo xaasidnimo ah.
Dulmar Farsamo oo ku saabsan NPM Infostealer-kan
Si ka duwan barnaamijyada caadiga ah ee waqtiga rakibidda, ololahani wuxuu ku tiirsan yahay runtime qaabka furfurista.
Waxaa jira:
- Ma jiro wax xaasidnimo ah
preinstallorpostinstallhooks - Wicitaanno shabakadeed oo wakhtiga rakibidda muuqda ma jiraan
- Ma jiraan wax macquul ah oo ku saabsan ururinta aqoonsiga qoraalka fudud
Culaysku wuu shaqeeyaa marka module-ka la soo dejiyo. Jirka xaasidnimada leh oo dhan waa la qariyaa oo kaliya wuxuu ku soo baxaa xusuusta waqtiga socodsiinta.
Naqshadani waxay si gaar ah uga fogaataa ogaanshaha inta lagu jiro rakibidda baakadka.
Sidee npm-kan Infostealer dhab ahaantii u fuliyaa
Kahor inta aan la falanqeyn waxa Nyx Stealer xado, waa inaan fahamnaa sida ay u dhaqan gasho.
Macnaha xaasidnimada leh ee ku jira npm infostealer-kan wuxuu raacaa qaab joogto ah:
Qalab yar oo rar-qaadaha ah ayaa furfura culays weyn oo sir ah wuxuuna si firfircoon ugu fuliyaa gudaha macnaha guud ee VM ee Node.js.
Naqshadani waa mid ula kac ah. Weerarku ma qarinayo shaqada gadaashiisa, waa iyaga. ka saarista koodka xaasidnimada leh aragtida aan joogtada ahayn gebi ahaanba.
Qaabka Fulinta Heerka Sare
Heer sare, duubku wuxuu sameeyaa afar shay:
- Waxay ka soo saartaa furaha AES erayga sirta ah ee adag iyadoo la adeegsanayo SHA-256
- Wuxuu furfuraa qoraal qarsoodi ah oo hex-encoded ah oo weyn isagoo adeegsanaya AES-256-CBC
- Wuxuu fuliyaa JavaScript-ka la furfuray isagoo adeegsanaya
vm.runInNewContext() - Waxay bixisaa sanduuq ciid ah oo wali soo bandhigaya waxyaabaha aasaasiga ah ee waqtiga socodsiinta
Soo Koobidda Farsamada Muhiimka ah
| Qeybta | Qaabeynta / Qiimaha |
|---|---|
| Algorithm | AES-256-CBC |
| Soojeedinta Furaha | SHA-256 (erey sir ah) |
| Vektor Bilaabid (IV) | 16 bayt oo ah 0x00 |
| fulinta | vm.runInNewContext (la furfuray, sanduuq ciid ah) |
Si gaar ah, sanduuqa ciiddu wuxuu dhex maraa:
requireprocessBuffer- saacadle
- dhoofinta moduleka
Taas macnaheedu waa in culayska la furfuray uu awood buuxda u leeyahay:
- Geedi socodka ubaxa
- Akhri oo qor faylasha
- Samee wicitaanada shabakadda
- Wax ka beddel codsiyada maxalliga ah
Kani ma aha VM xaddidan. Waa VM loo isticmaalo trampoline fulineed.
Qaabka Sirta Waqtiga-socodka (Habka Fulinta Aasaasiga ah)
Rarka waa yar yahay.
Jidhka xaasidnimada leh ma aha.
Hoos waxaa ku qoran qaabka fulinta ee laga helay xirmada:
const crypto = require('crypto'); const vm = require('vm'); function decryptAndExecute(encryptedHex, passphrase) { const key = crypto.createHash('sha256') .update(passphrase) .digest(); const iv = Buffer.alloc(16, 0); const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv); let decrypted = decipher.update(encryptedHex, 'hex', 'utf8'); decrypted += decipher.final('utf8'); const sandbox = { require, module, exports, console, process, Buffer, __dirname, __filename, setTimeout, setInterval, clearTimeout, clearInterval }; vm.runInNewContext(decrypted, sandbox); } Waa maxay Sababta Tani?
Culayska la furfuray:
- miyuu ma waxaa ku jira qoraal cad gudaha xirmada npm
- Lama arki karo si fudud
grepama sawir-qaadista xarigga aan joogtada ahayn - Kaliya waxay ku soo baxdaa xusuusta waqtiga hawlgalka
- Waxay ku shaqeysaa awoodo buuxa oo waqtiga socodsiinta Node ah
Isku-darka fulinta AES + VM waa tilmaame dhaqan oo xooggan oo ah npm infostealer oo isku dayaya inuu ka baxsado kormeerka joogtada ah.
Si kale haddii loo dhigo:
Haddii aad sawirto geedka isha baakadka, ma arkaysid qof wax xadaya.
Waxaad arkaysaa qalab furfuran.
Maxaa Dhaca Ka Dib Furitaanka Qoraalka
Marka la fuliyo, Nyx Stealer wuxuu bilaabaa mowjado ururin xog oo is barbar socda.
Mowjadda 1: Soo saarista Aqoonsiga Biraawsarka
Barnaamijka malware-ka:
- Soo dejiso Python runtime oo ka socota NuGet CDN
- Ku rakib maktabadaha sirta ah
- Soo saar bakhaarada aqoonsiga ee ku salaysan Chromium
- Waxay furfurtaa sirta ay ilaaliso DPAPI
Halkii ay ka soo ururin lahayd isku xidhka asalka ah, waxay ka faa'iidaysanaysaa PowerShell si ay si toos ah ugu wacdo Windows DPAPI.
function dpapiUnprotectWithPowerShell(dataBuf) { const b64 = dataBuf.toString('base64'); const ps = "Add-Type -AssemblyName System.Security;" + "$b=[Convert]::FromBase64String('" + b64 + "');" + "$p=[System.Security.Cryptography.ProtectedData]::Unprotect(" + "$b,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser);" + "[Console]::Out.Write([Convert]::ToBase64String($p))"; const cmd = `powershell -NoProfile -ExecutionPolicy Bypass -Command "${ps}"`; return Buffer.from(execSync(cmd, { encoding: 'utf8' }).trim(), 'base64'); } Habkan:
- Waxay ka fogaataa walxaha isku-darka ah
- Waxay isticmaashaa API-yada crypto ee Windows-ka ee asalka ah
- Waxay isku daraysaa qalabka maamulka
Waa hab-furidda aqoonsiga heerka OS-ga, ee maaha xoqid.
Mowjadda 2: Fasiridda Calaamadda Discord
Tuuggu waa qof og borotokoolka. Waxay fahsan tahay qaabka calaamadda qarsoon ee Discord.
function decryptToken(encryptedToken, key) { const tokenParts = encryptedToken.split('dQw4w9WgXcQ:'); const encryptedData = Buffer.from(tokenParts[1], 'base64'); const iv = encryptedData.slice(3, 15); const ciphertext = encryptedData.slice(15, -16); const tag = encryptedData.slice(-16); const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv); decipher.setAuthTag(tag); return decipher.update(ciphertext).toString('utf8'); } Socodka hawlgalka:
- Ka soo saar furaha master-ka Discord's
Local State - Furaha furaha ee furaha iyada oo loo marayo DPAPI
- Fur furaha calaamadaha AES-GCM
- Ansaxi calaamadaha Discord API
- Ku kobci Nitro, calaamado, iyo macluumaadka biilasha
Kani maaha daadinta aqoonsiga guud. Waa afduubka kalfadhiga oo la socda hab-maamuuska.
Mowjadda 3aad: Bartilmaameedka Jeebka Lacagta Dijitaalka ah
NPM infostealer wuxuu tiriyaa:
- 90+ kordhin boorsada biraawsarka
- 27 boorsooyinka desktop-ka
- Waddooyinka jeebka qabow
- Faylasha abuurkii Baxniintii
Tusaale ahaan isku dayga furfurista abuurka:
function decryptSeco(content, password) { const key = crypto.pbkdf2Sync(password, 'exodus', 10000, 32, 'sha512'); const decipher = crypto.createDecipheriv( 'aes-256-gcm', key, content.slice(0, 12) ); decipher.setAuthTag(content.slice(-16)); return Buffer.concat([ decipher.update(content.slice(12, -16)), decipher.final() ]).toString('utf8'); } Haddii ay guulaysato, tanaasulka boorsada jeebka waa mid degdeg ah oo aan dib loo celin karin.
Tani waxay ka dhigan tahay habka lacag-bixinta ugu qiimaha badan ololaha.
Adkeysi iyada oo loo marayo duritaanka Discord Desktop
Ka dib markii uu soo urursaday aqoonsiyada, Nyx Stealer wuxuu isku dayaa inuu ku adkeysto isagoo wax ka beddelaya nidaamka deegaanka. khilaaf macmiil.
Bartilmaameed:
%LOCALAPPDATA%\Discord*\app-*\modules\discord_desktop_core\index.js Taxanaha Hawlgalka
Infostealer-ku wuxuu qabtaa tallaabooyinka soo socda:
- Waxay joojineysaa socodsiinta howlaha Discord
- Waxay heshaa noocyada Discord ee la rakibay (Xasillooni, Canary, PTB)
- Ku dul-qoraa
discord_desktop_core/index.js - Wuxuu duraa macquulka webhook ee uu weeraryahanku xakameeyo
- Dib u bilaabaa Discord
Tani waxay hubineysaa in kalfadhiyada Discord ee mustaqbalka ay si toos ah u daadiyaan calaamado xaqiijin cusub.
Muhiimad ahaan, joogtayntani kuma tiirsana hawlaha la qorsheeyay ama wax ka beddelka diiwaanka. Waxay ka faa'iidaysataa wax ka beddelka koodhka heerka codsiga, oo ah hab qarsoodi ah.
Xitaa haddii xirmada npm ee xaasidnimada leh laga saaro dambe, macmiilka Discord wuxuu weli ku jiraa xaalad halis ah.
Isbarbardhigga Farsamada: Selfbot-ka Sharci ah iyo npm Infostealer
| Qeybta | Maktabadda Sharciga ah | Nyx npm Infostealer |
|---|---|---|
| encryption | None | Culeyska buuxa ee AES-encrypted |
| Waqtiga Runtime VM | ma loo baahan yahay | vm.runInNewContext fulinta |
| Helitaanka Aqoonsiga | Discord API oo keliya | Biraawsarka, boorsooyinka, DPAPI |
| Soo dejinta Dibadda | Maya | Waqtiga Python ee loo maro NuGet |
| adkaysiga | Maya | Cirbadaha macmiilka Discord |
| lacagaynta | Otomaatigeynta Bot | Dib-u-iibinta aqoonsiga |
Lakabka sirta ah oo keliya ayaa durba ololahan ka soocaya fargeeto il furan oo caadi ah.
Bot-ka Discord ee sharciga ah ma laha sabab uu ku qariyo dhammaan koodhka, u abuuro PowerShell si uu u galo DPAPI, u soo dejiyo waqtiyada socodsiinta dibadda, ama wax uga beddelo gudaha barnaamijyada desktop-ka. Marka awoodahaasi ay ka muuqdaan ku-tiirsanaan sheeganaysa inay otomaatig u tahay isdhexgalka Discord, is-waafajinta qaab-dhismeedka waxay noqotaa mid aan macquul ahayn in la iska indho tiro.
Marka laga eego dhinaca baaritaanka, npm infostealer-kan wuxuu ka tagaa raadad lakabyo badan. Si kastaba ha ahaatee, tilmaamayaasha ugu kalsoonida badan maaha URL-yada adag ama dariiqyada faylalka gaarka ah, maadaama ay isku beddeli karaan noocyada dhexdooda. Taa beddelkeeda, calaamadaha waara waa qaab-dhismeed.
Heerka xirmada, calanka cas ee ugu xooggan waa isku-darka culays weyn oo sir ah iyo duubis furfuran oo runtime ah oo isla markiiba fuliya iyada oo loo marayo vm.runInNewContext()In kasta oo sirta oo keliya aysan ahayn mid sir ah, isticmaalka furfurista AES oo ay ku xigto fulinta firfircoon ee VM gudaha xirmada utility Discord waa mid aad u aan caadi ahayn.
Heerka martida loo yahay, qaababka shakiga leh waxaa ka mid ah dhaqdhaqaaqa furfurista DPAPI ee aan la filayn, habka ka soo baxaya macnaha ku tiirsanaanta Node.js, iyo wax ka beddelka faylasha codsiyada maxalliga ah ee aan waligood beddelin maktabadaha dhinac saddexaad. Sidoo kale, lakabka shabakadda, isgaarsiinta qaabka webhook ee dibadda ka baxda oo ay bilowdo ku tiirsanaanta horumarinta waxay u taagan tahay wax aan caadi ahayn oo macno leh.
Si kale haddii loo dhigo, dusha sare ee ogaanshaha ma aha hal tilmaame oo tanaasul ah. Waa isku xidhka sirta, fulinta waqtiga socodsiinta, helitaanka aqoonsiga, iyo dhaqanka adkeysiga ee muujinaya khatarta.
Ogaanshaha iyo Yaraynta Xygeni
Macluumaadka npm-kan waxaa aqoonsaday by Digniinta Hore ee Malware-ka Xygeni (MEW) iyada oo loo marayo isku xidhka dhaqanka ee lakabaysan halkii laga dhigi lahaa isku xidhka saxeexa fudud.
Halkii laga raadin lahaa xargo xaasidnimo ah oo la yaqaan, MEW waxay qiimeysaa cilladaha qaab-dhismeedka ee geedka isha oo dhan. Xaaladdan, ogaanshaha ayaa ka soo baxay isku-darka dhowr calaamadood: nidaam furfuris AES ah oo ku dhex jira barta gelitaanka moduleka, fulinta degdega ah gudaha macnaha VM, iyo isku-dheelitirnaan cad oo awood-u-dhigid ah.
Muhiimad ahaan, mid ka mid ah calaamadahan oo keliya ma muujiyaan ujeedo xaasidnimo ah. Si kastaba ha ahaatee, marka si wada jir ah loo falanqeeyo, waxay soo bandhigaan isku day lagu qarinayo dhaqanka waqtiga socodka. Habkan lakabaysan wuxuu si weyn u yareeyaa waxyaabaha beenta ah iyadoo la aqoonsanayo khataraha silsiladda sahayda ee kalsoonida sare leh.
Intaa waxaa dheer, kiiskan wuxuu muujinayaa sababta kormeerka waqtiga rakibidda oo keliya uusan ugu filnayn. Macquulka xaasidnimada ah kuma jiro qoraallada wareegga nolosha. Waxay shaqeysaa oo keliya ka dib marka moduleku raro oo keliya wuxuuna muuqdaa marka la furo xusuusta. Sidaa darteed, difaac wax ku ool ah wuxuu u baahan yahay falanqayn ku saabsan sirta, aqoonsashada qaabka dhaqanka, iyo la socodka ku tiirsanaanta joogtada ah ee ka baxsan dhacdooyinka rakibidda.
Ka saarista diiwaanka waa mid falcelin leh. Falanqaynta wakhtiga ku-meel-gaadhka ah waa mid ka hortag ah.
Sababta NPM-kan Infostealer muhiim u yahay
Nyx Stealer waxay matalaysaa horumar qaab-dhismeed oo ku saabsan barnaamijyada malware-ka ee ku salaysan npm.
Taariikh ahaan, xirmooyin badan oo xaasidnimo ah ayaa ku tiirsanaa qoraallo muuqda oo waqtiga rakibidda ah ama meelaha kama dambaysta ah ee nadiifinta shahaadada. Taas bedelkeeda, ololahan wuxuu qariyaa culayskiisa, wuxuu dib u dhigaa fulinta waqtiga socodsiinta, wuxuu ka faa'iidaystaa API-yada nidaamka hawlgalka ee sharciga ah, wuxuuna dejiyaa adkeysi gudaha codsiyada la aamini karo.
Sidaas darteed, qofka weerarka geysta uma baahna inuu ka faa'iidaysto kaabayaasha npm laftiisa. Taa beddelkeeda, weerarku wuu guuleystaa sababtoo ah rakibidda ku-tiirsanaanta waxay tilmaamaysaa kalsooni. Horumariyayaashu waxay u maleynayaan in soo dejinta maktabaddu ay tahay hawlgal ammaan ah, gaar ahaan marka ay isu soo bandhigto sidii qalab macquul ah oo caan ah.
Maadaama nidaamyada deegaanku ay sii kordhayaan oo ay sii kordhayaan, xadka kalsoonida ee qarsoon wuxuu noqonayaa dusha sare ee soo jiidashada leh. Sidaa darteed, difaaca ka dhanka ah macluumaadka casriga ah ee npm waxay u baahan tahay aqoonsashada qaababka dhismaha halkii laga raadin lahaa xarigyo aan joogto ahayn.
Ugu dambeyntii, ololahan wuxuu xoojinayaa cashar muhiim ah oo ku saabsan software supply chain security: khataraha ugu khatarta badan maaha kuwa marka hore u muuqda kuwo xaasidnimo leh, laakiin kuwa u muuqda kuwo qaab-dhismeed ahaan sharci ah ilaa waqtiga run-ka ah uu muujiyo dhaqankooda dhabta ah.




