Jason Franscisco
In the vast world of open-source software, developers use various libraries and packages from places like the Node Package Manager (NPM) to build their applications. These packages are like trusted tools for developers. However, because these repositories are open to everyone, sometimes bad actors can sneak in and hide their harmful intentions.
In this blog, we delve into a fascinating case that unravels the mystery of a malicious NPM package, exposing a hidden world of secret script execution and potential dangers.
Falling into the category of such deceptive practices is the sync-axios package. On the surface, it appears to be a legitimate utility, possibly envisioned as a synchronization tool for the well-known axios HTTP client. However, a deeper dive into its contents reveals a more sinister purpose. It's a sophisticated piece of malware that hijacks processes, demonstrating the evolving complexity of cyber threats in the open-source ecosystem.
The sync-axios package is a seemingly benign package with a deceptive name & structured with several JavaScript files. This structure at first glance might not raise suspicions. However, its functionality extends far beyond what its title suggests, engaging in illicit file system operations, process manipulations, and unauthorized modifications to Discord files and webhook configurations. It stealthily monitors Discord activity, posing a significant threat to user privacy and security.
Unraveling the Code:
The package comprises several functions, each tailored for specific operations. Let's break down these functions and understand their roles:
The primary role of lib/asar/fetcher/functions/dirs.js is to interact with the file system. It contains functions to scan directories (dirs), generate random IDs (id), and a basic encoding function (encode). It uses fs.readdirSync to synchronously read the contents of the directory specified by process.env.localappdata, which is an environment variable pointing to the local application data folder on the user's machine. It then filters out files and directories that include the string "iscord" (matching directories like "Discord", "discord", etc.) and maps each filtered item to its full path using path.join.
In lib/asar/fetcher/functions/exec/index.js, the function killAll employs child_process's exec method to terminate and restart specific processes. It focuses on various Discord executable processes (e.g., Discord.exe, DiscordCanary.exe), forcefully stopping them and then initiating a restart. It kills the task and then uses the Update executable in the application's local app data directory to restart it. This is a clear indicator of process hijacking, possibly to inject malicious code upon restart.
The main lib/asar/fetcher/index.js conducts a thorough scan for Discord's index.js files within the user's local application data. It reads directories and files, focusing on directories that contain "desktop_core" and excluding "node_modules". The script replaces the legitimate index.js with a malicious payload fetched and decoded from an external source, thereby injecting malicious code into the Discord app.
Also, within the index.js, the script extracts an encoded URL from the package.json file, decodes it from Base64, and then uses this URL in a fetch request. The URL is obtained from the id field in package.json. The script makes an HTTP request to the obtained URL and gets the response as text. It then looks for specific encoded strings in the response and replaces them with other values. The specific strings it searches for are encoded in Base64 and correspond to "%WEBHOOK%" and "%ID_REQUEST%" (after decoding). These are replaced with another URL (constructed by appending the n field from package.json to a base URL decoded from Base64) and a randomly generated ID (using the id function from dirs.js), respectively. After the replacement, the modified content is written back to certain files. The files targeted for modification are identified earlier in the script and stored in “I_PATHS”.
Furthermore, the “index.js” continues to tamper with BetterDiscord's configuration files (a popular Discord mod). It replaces the webhook URLs with a URL specified in the package's “package.json”, enabling the attacker to redirect webhook data. This represents a significant security threat as webhooks can be used to exfiltrate sensitive data or send unauthorized messages.
In subsequent versions, the package defines an asynchronous function named `main` that performs a series of file and process operations. Initially, it sets up a few path variables: one for an executable file (`get.exe`), one for the Windows Startup folder, and a target path for a renamed executable (`Discord.exe`). The code then renames `get.exe` to `Discord.exe` and places it in the Startup folder. This ensures that the renamed file will be executed when the computer starts. After the renaming, the script uses the `spawn` function to create a detached child process that runs `Discord.exe`. This child process is independent of the script's process, allowing it to continue running even after the script has finished. The script's process is then terminated using `process.exit()`.
Upon analyzing in a sandbox environment, the processes initiated by "get.exe" reveal that it is initiating multiple instances of a file named "Discord Updater.exe" located in a subdirectory of Temp. These instances of "Discord Updater.exe" are launched with various command-line arguments that specify different types of operations.
The first instance is running as a GPU process, configured with specific GPU preferences and user data directory paths. It's part of a set of operations to manage graphics processing, likely for rendering purposes. The second instance is launched as a utility process, specifically for network services. It also specifies language settings, sandbox type for the service, and user data directory paths, indicating its role in network-related operations. The third instance, similar to the first, is again a GPU process with a focus on using specific graphics libraries (ANGLE, SwiftShader) for rendering, suggesting its use in graphics-intensive tasks.
The Discord Injection: An Alarming Proof of Concept:
The GitHub repository hosting the script showcases a Proof of Concept (PoC) called "Discord Injection", which is designed to demonstrate the interception of HTTP requests within the Discord application. This PoC highlights potential vulnerabilities in Discord by showcasing how critical actions can be intercepted. The key features of this PoC include:
Revealing the Purpose:
The script obtained from the URL appears to be a JavaScript module designed for use with Electron, a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. This script seems to be specifically targeted at modifying the Discord desktop application. Here's a breakdown of its functionality:
In summary, the script is a sophisticated piece of malware targeting Discord users. It injects malicious code into the Discord application, collects a wide array of sensitive data from the user's machine, and communicates this data to a remote server. The script also attempts to modify Discord's files for persistence and intercepts network requests to manipulate or disable security measures.
Implications and Conclusions: The Wider Impact of 'sync-axios'
The script contained within sync-axios was designed to download and execute additional code from a remote server. This behavior is a classic example of a supply chain attack, where the attackers target software components that are regularly integrated into other software products. The downloaded code had the potential to perform a range of malicious activities, from stealing sensitive information to installing further malware.
This incident highlights the critical importance of vetting third-party dependencies in software development. The reliance on open-source packages, while beneficial for accelerating development, also introduces risks that need to be actively managed. Developers and organizations must implement stringent security measures, such as regular audits of third-party packages and the use of automated tools to scan for vulnerabilities and suspicious activities. Furthermore, this case serves as a reminder of the evolving landscape of cyber threats, where supply chain attacks are becoming increasingly sophisticated and harder to detect.
In conclusion, the sync-axios incident underlines the need for heightened awareness and proactive security measures in the open-source ecosystem. It is a call to action for developers, security teams, and organizations to collaborate and fortify their defenses against such insidious threats lurking in the shadows of trusted repositories.
Strengthening Defenses: Lessons Learned
To combat such threats, developers and organizations must adopt rigorous security measures. This includes regular code audits, using trusted repositories, and implementing automated security tools.
Final Thoughts: A Call to Action for Enhanced Open-Source Security
The 'sync-axios' saga is a wake-up call for the open-source community. It underscores the need for enhanced security practices and collaborative efforts to safeguard the software ecosystem.
MITRE ATT&CK Framework
sync-axios Releases:
IOCs
https://raw[.]githubusercontent[.]com/k4itrun/discord-injection/main/injection.js https://aurita[.]onrender[.]com/request/ https://discord[.]com/api/webhooks/1193233847895212032/6i7RYIz7lgt_an6FYoPOZwwM0Z7QBHSdixhTT_b-8SHsrwgoEMy3eBTK4oqTfupjzqni
Author – Ankur Acharjee (Security Researcher)
Explore Cybersecurity Platforms
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.
For over 16 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media and more have come to rely on Loginsoft as a trusted resource for technology talent. Whether Onsite, Offsite, or Offshore, we deliver.
Loginsoft is a leading Cybersecurity services company providing Security Advisory Research to generate metadata for vulnerabilities in Open source components, Discovering ZeroDay Vulnerabilities, Developing Vulnerability Detection signatures using MITRE OVAL Language.
Expertise in Integrations with Threat Intelligence and Security Products, integrated more than 200+ integrations with leading TIP, SIEM, SOAR and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar, IBM Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency APIs with Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet and so on.
Interested to learn more? Let’s start a conversation.
IN-HOUSE EXPERTISE
Get practical solutions to real-world challenges, straight from experts who conquered them.
View all our articles
