Persistent attack targeting security experts combines crypto mining with the theft of 390,000 credentials

Researchers have warned of a multifaceted attack targeting security professionals, combining the deployment of malicious versions of code and cryptocurrency mining, a campaign that has resulted in the theft of 390,000 WordPress access credentials.

The threat actor identified as MUT-1244, uses different attack vectors and takes advantage of the same payload, distributed through a ‘phishing’ campaign aimed at thousands of professionals in this sector and other technical fields, as well as through Trojanized GitHub open source repositories.

The first attack vector involves directly installing the ‘@Oxengune/xmlrp’ package from NPM, while the second, more sophisticated approach involves a repository called ‘yawpp’, which is promoted as a WordPress credentials checker.

At the beginning of October 2023, the cybersecurity firm Checkmarx warned of a campaign aimed at researchers and cybersecurity professionals consisting of the provision of a malicious Node Package Manager (NPM) package – a JavaScript development tool – that posed as a XML-RPC client and server implementation for the Node.js execution.

The interesting thing about this package was its strategic evolution from legitimate code to malicious code. Thus, its initial version (1.3.2) and its immediate continuation seemed to be Legitimate implementations of XML-RPC functionality. However, starting with version 1.3.4, the package underwent a significant transformation with the introduction of obfuscated malicious code inside the ‘validator.js’ file.

Since then and over the course of a year, this package has received 16 updates, as Checkmarx has pointed out. The latest version (1.3.18) was deployed on October 4 of this year. Thanks to this update pattern constant as it receives new commands and settings frequently, the NPM has been able to remain active, with a legitimate appearance, while hiding its malicious purpose.

Likewise, research complementary to that of Checkmarx published by Datadog Security Labs indicates that another reason why the malicious GitHub repositories appeared to be legitimate was their name, such as ‘cve-2019-1148’ or ‘executable-pdf’.

These were automatically included in legitimate sources such as Feedly threat Intelligence or Vulnmon as proof-of-concept repositories targeting known vulnerabilities. This increased their reliability and the likelihood that some developer would run them.

Once installed on the computer, the ‘malware’ begins to collect system information – keys and SSH configurations, command histories, network information and IP, etc. – and, after an initial data collection phase, it deploys its cryptocurrency mining component with attention to Linux systems.

This deployment process involves downloading additional payloads from a Codeberg repository that impersonate system authentication services, such as ‘Xsession.auth’, configured to start automatically. With this, a mining operation begins that uses XMRig mining ‘malware’ to mine the Monero cryptocurrency, which it then directs to a wallet owned by the attacker.

Along with this mining software, ‘xprintidle’ is installed, which is used to monitor user activity, and ‘Xsession.sh’, a script that controls and manages the malicious crypto mining operation.

CONTINUOUS EVALUATION

From Checkmarx they have indicated that this campaign, with which MIT-12144 was able to access more than 390,000 credentials that are believed to belong to WordPress, serves as “a harsh reminder“of the importance of closely examining open source projects before incorporating them into any software development process.

As has been proven, code packages can be malicious from the start, maintaining a long-term presence while hiding their true nature, or They can also be compromised some time later of its implementation and introduce malicious code through updates.

This is a double threat that forces developers and organizations to remain vigilant beyond an initial evaluation of the product and to implement solid security measures, as well as perform periodic audits to mitigate risks.

By Editor

Leave a Reply