sync-axios: Supply Chain Attack - What You Need to Know

February 20, 2024

Introduction: The Hidden Dangers in Open-Source Repositories

In the vast world of open-source software, developers use various libraries and packages from places like the Node Package Manager (NPM) to build their applications. These packages are like trusted tools for developers. However, because these repositories are open to everyone, sometimes bad actors can sneak in and hide their harmful intentions.

In this blog, we delve into a fascinating case that unravels the mystery of a malicious NPM package, exposing a hidden world of secret script execution and potential dangers.

Deep Dive into 'sync-axios' Malware: Uncovering the Malicious Functions:

Falling into the category of such deceptive practices is the sync-axios package. On the surface, it appears to be a legitimate utility, possibly envisioned as a synchronization tool for the well-known axios HTTP client. However, a deeper dive into its contents reveals a more sinister purpose. It's a sophisticated piece of malware that hijacks processes, demonstrating the evolving complexity of cyber threats in the open-source ecosystem. 

Analyzing the Malware's Modus Operandi: Discord Hijacking and Beyond:

The sync-axios package is a seemingly benign package with a deceptive name & structured with several JavaScript files. This structure at first glance might not raise suspicions. However, its functionality extends far beyond what its title suggests, engaging in illicit file system operations, process manipulations, and unauthorized modifications to Discord files and webhook configurations. It stealthily monitors Discord activity, posing a significant threat to user privacy and security.

Unraveling the Code:

The package comprises several functions, each tailored for specific operations. Let's break down these functions and understand their roles:

The primary role of lib/asar/fetcher/functions/dirs.js is to interact with the file system. It contains functions to scan directories (dirs), generate random IDs (id), and a basic encoding function (encode). It uses fs.readdirSync to synchronously read the contents of the directory specified by process.env.localappdata, which is an environment variable pointing to the local application data folder on the user's machine. It then filters out files and directories that include the string "iscord" (matching directories like "Discord", "discord", etc.) and maps each filtered item to its full path using path.join.

In lib/asar/fetcher/functions/exec/index.js, the function killAll employs child_process's exec method to terminate and restart specific processes. It focuses on various Discord executable processes (e.g., Discord.exe, DiscordCanary.exe), forcefully stopping them and then initiating a restart. It kills the task and then uses the Update executable in the application's local app data directory to restart it. This is a clear indicator of process hijacking, possibly to inject malicious code upon restart.

Obfuscated code

Deobfuscated code

The main lib/asar/fetcher/index.js conducts a thorough scan for Discord's index.js files within the user's local application data. It reads directories and files, focusing on directories that contain "desktop_core" and excluding "node_modules". The script replaces the legitimate index.js with a malicious payload fetched and decoded from an external source, thereby injecting malicious code into the Discord app.

Also, within the index.js, the script extracts an encoded URL from the package.json file, decodes it from Base64, and then uses this URL in a fetch request. The URL is obtained from the id field in package.json. The script makes an HTTP request to the obtained URL and gets the response as text. It then looks for specific encoded strings in the response and replaces them with other values. The specific strings it searches for are encoded in Base64 and correspond to "%WEBHOOK%" and "%ID_REQUEST%" (after decoding). These are replaced with another URL (constructed by appending the n field from package.json to a base URL decoded from Base64) and a randomly generated ID (using the id function from dirs.js), respectively. After the replacement, the modified content is written back to certain files. The files targeted for modification are identified earlier in the script and stored in “I_PATHS”.

Obfuscated code

Deobfuscated code

Furthermore, the “index.js” continues to tamper with BetterDiscord's configuration files (a popular Discord mod). It replaces the webhook URLs with a URL specified in the package's “package.json”, enabling the attacker to redirect webhook data. This represents a significant security threat as webhooks can be used to exfiltrate sensitive data or send unauthorized messages.

Deobfuscated code

In subsequent versions, the package defines an asynchronous function named `main` that performs a series of file and process operations. Initially, it sets up a few path variables: one for an executable file (`get.exe`), one for the Windows Startup folder, and a target path for a renamed executable (`Discord.exe`). The code then renames `get.exe` to `Discord.exe` and places it in the Startup folder. This ensures that the renamed file will be executed when the computer starts. After the renaming, the script uses the `spawn` function to create a detached child process that runs `Discord.exe`. This child process is independent of the script's process, allowing it to continue running even after the script has finished. The script's process is then terminated using `process.exit()`.

Deobfuscated code

Upon analyzing in a sandbox environment, the processes initiated by "get.exe" reveal that it is initiating multiple instances of a file named "Discord Updater.exe" located in a subdirectory of Temp. These instances of "Discord Updater.exe" are launched with various command-line arguments that specify different types of operations.

The first instance is running as a GPU process, configured with specific GPU preferences and user data directory paths. It's part of a set of operations to manage graphics processing, likely for rendering purposes. The second instance is launched as a utility process, specifically for network services. It also specifies language settings, sandbox type for the service, and user data directory paths, indicating its role in network-related operations. The third instance, similar to the first, is again a GPU process with a focus on using specific graphics libraries (ANGLE, SwiftShader) for rendering, suggesting its use in graphics-intensive tasks.

The Discord Injection: An Alarming Proof of Concept:

The GitHub repository hosting the script showcases a Proof of Concept (PoC) called "Discord Injection", which is designed to demonstrate the interception of HTTP requests within the Discord application. This PoC highlights potential vulnerabilities in Discord by showcasing how critical actions can be intercepted. The key features of this PoC include:

Revealing the Purpose:

The script obtained from the URL appears to be a JavaScript module designed for use with Electron, a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. This script seems to be specifically targeted at modifying the Discord desktop application. Here's a breakdown of its functionality:

In summary, the script is a sophisticated piece of malware targeting Discord users. It injects malicious code into the Discord application, collects a wide array of sensitive data from the user's machine, and communicates this data to a remote server. The script also attempts to modify Discord's files for persistence and intercepts network requests to manipulate or disable security measures.

Implications and Conclusions: The Wider Impact of 'sync-axios'

The script contained within sync-axios was designed to download and execute additional code from a remote server. This behavior is a classic example of a supply chain attack, where the attackers target software components that are regularly integrated into other software products. The downloaded code had the potential to perform a range of malicious activities, from stealing sensitive information to installing further malware.

This incident highlights the critical importance of vetting third-party dependencies in software development. The reliance on open-source packages, while beneficial for accelerating development, also introduces risks that need to be actively managed. Developers and organizations must implement stringent security measures, such as regular audits of third-party packages and the use of automated tools to scan for vulnerabilities and suspicious activities. Furthermore, this case serves as a reminder of the evolving landscape of cyber threats, where supply chain attacks are becoming increasingly sophisticated and harder to detect.

In conclusion, the sync-axios incident underlines the need for heightened awareness and proactive security measures in the open-source ecosystem. It is a call to action for developers, security teams, and organizations to collaborate and fortify their defenses against such insidious threats lurking in the shadows of trusted repositories.

Strengthening Defenses: Lessons Learned

To combat such threats, developers and organizations must adopt rigorous security measures. This includes regular code audits, using trusted repositories, and implementing automated security tools.

Final Thoughts: A Call to Action for Enhanced Open-Source Security

The 'sync-axios' saga is a wake-up call for the open-source community. It underscores the need for enhanced security practices and collaborative efforts to safeguard the software ecosystem.

MITRE ATT&CK Framework

table { border-collapse: collapse; width: 100%; margin: 20px 0; border-radius: 8px; font-family: 'Plus Jakarta Sans', sans-serif; /* Webflow-friendly font */ font-size: 14px; border: 1px solid #ccc; /* Add a border to the table */ overflow-x: auto; /* Enable horizontal scrolling */ } th, td { padding: 20px 20px; border: 1px solid rgba(255, 255, 255, 0.2); /* Ensure cells have borders */ text-align: left; } th { font-weight: bold; /* background-color: rgba(255, 255, 255, 0.12); */ background-color: rgb(26 49 63); color: #FFF; } tr:nth-child(odd) { background-color: rgba(0, 0, 0, 0.05); /* Maintain subtle banding for visual clarity */ } /* To ensure the table can overflow properly, wrap it in a container with these styles */ .table-container { overflow-x: auto; /* Enables horizontal scroll on smaller screens */ border-radius: 8px; /* Maintains consistency with the table's border radius */ }
Tactic Technique Technique ID Description
Initial Access Exploit Public-Facing Application T1190 Injecting malicious code into Discord, a public-facing application.
Credential Access Unsecured Credentials T1552 Intercepting login credentials and possibly other sensitive information like 2FA codes, emails, and passwords.
Collection Input Capture T1056 Capturing user input during login, registration, or when adding payment methods.
Exfiltration Exfiltration Over Web Service T1567 Sending the intercepted data to an attacker-controlled Discord webhook.
Defense Evasion Obfuscated Files or Information T1027 Potentially obfuscating the injection code to evade detection.
Persistence Modify Existing Software T1574 Modifying Discord's installation files to maintain persistence of the injected code.

sync-axios Releases:

IOCs

https://raw[.]githubusercontent[.]com/k4itrun/discord-injection/main/injection.js https://aurita[.]onrender[.]com/request/ https://discord[.]com/api/webhooks/1193233847895212032/6i7RYIz7lgt_an6FYoPOZwwM0Z7QBHSdixhTT_b-8SHsrwgoEMy3eBTK4oqTfupjzqni

Author – Ankur Acharjee (Security Researcher)

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

BLOGS AND RESOURCES

Latest Articles

RansomHub Revealed: Threats, Tools, and Tactics

December 9, 2024

The Rise of INTERLOCK Ransomware

November 13, 2024

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

October 23, 2024