Detection Evasion Tactics Employed by Malicious NPM Package Through Unicode Steganography
 repository employs invisible Unicode characters to obscure harmful code, utilizing Google Calendar links to facilitate access to its command-and-control (C2) server.</p>
<p>The package, titled <em>os-info-checker-es6</em>, masquerades as an informational utility and has garnered over 1,000 downloads since the start of May.</p>
<p>Security analysts from Veracode, an industry leader in code security assessments, discovered the initial version of the package was uploaded to the NPM index on March 19. This original iteration was non-malicious, merely collecting operational data from the system it was installed on.</p>
<p>Subsequent updates introduced platform-specific binaries and added obfuscation to installation scripts. The most recent iteration, published on May 7, revealed a “sophisticated C2 mechanism” capable of delivering the final malicious payload.</p>
<p>At the time of this analysis, version 1.0.8 of ‘<a href=)
vue-bit, which are presented as accessibility and developer platform engineering tools.
The promotional tactics employed by the threat actor for these packages remain ambiguous.
Unicode Steganography Explained
Within the malicious version, the perpetrator concealed data within a seemingly innocuous ‘|’ string, which is succeeded by a protracted sequence of invisible Unicode characters sourced from the Variation Selectors Supplement range (U+E0100 to U+E01EF).
These Unicode characters, typically modifiers employed to furnish specific glyph variations in complex scripts, were exploitatively utilized for text-based steganography, adeptly concealing information within other data.
Upon decoding and deobfuscating the string, Veracode unearthed a payload entailing a complex C2 mechanism reliant on a Google Calendar short link directing towards the ultimate payload.
Researchers elucidated that following the retrieval of the Google Calendar link, a series of redirects are assessed until an HTTP 200 OK response is obtained. Subsequently, a data-base-title attribute is extracted from the event’s HTML page, containing a base64-encoded URL that leads to the final payload.
The URL is processed via a function termed ymmogvj, enabling the extraction of the malicious payload. Notably, the response body is anticipated to encapsulate a base-encoded stage-2 malware payload, likely accompanied by an initialization vector and a secret key within the HTTP headers, indicating potential encryption of the final payload.
Additionally, Veracode’s findings indicate that the execution of the payload utilizes the eval(). method. The script implements a simplistic persistence mechanism within the system’s temporary directory, ensuring that multiple instances of the malware do not operate concurrently.
As of the time of analysis, researchers were unable to retrieve the final payload, suggesting that the threat campaign might be suspended or in preliminary stages.
Despite Veracode’s notification of these findings to NPM, the questionable packages remain available on the platform.
Cybersecurity researchers have identified a significant vulnerability in the Open VSX Registry (open-vsx.org), which, if successfully exploited, could allow attackers…
Cisco has issued a security advisory regarding two critical, unauthenticated remote code execution (RCE) vulnerabilities affecting the Cisco Identity Services…
A former student has been charged in connection with multiple cyber attacks on a university in Sydney, impacting hundreds of…
The Anubis ransomware group has reported a significant data breach involving 64GB of sensitive information from Disneyland Paris. This breach…
Oxford City Council has disclosed a cybersecurity incident that resulted in the exposure of personal data of current and former…
The Taiwanese cryptocurrency exchange BitoPro has reported that the North Korean hacking group Lazarus is responsible for a cyberattack that…
OpenAI is set to release an update for ChatGPT that will activate the new o3 Pro model, which boasts enhanced…
Microsoft has released the KB5058481 preview cumulative update for Windows 10 22H2, which introduces several enhancements, including the restoration of…
Recent discoveries have identified two critical vulnerabilities in the open-source forum software vBulletin, one of which is confirmed to be…