Introduction: The Hidden Dangers in Open-Source Repositories
In the vast world of open-source software, developers use various libraries and packages from places like the Node Package Manager (NPM) to build their applications. These packages are like trusted tools for developers. However, because these repositories are open to everyone, sometimes bad actors can sneak in and hide their harmful intentions.
In this blog, we delve into a fascinating case that unravels the mystery of a malicious NPM package, exposing a hidden world of secret script execution and potential dangers.
Deep Dive into 'sync-axios' Malware: Uncovering the Malicious Functions:
Falling into the category of such deceptive practices is the sync-axios package. On the surface, it appears to be a legitimate utility, possibly envisioned as a synchronization tool for the well-known axios HTTP client. However, a deeper dive into its contents reveals a more sinister purpose. It's a sophisticated piece of malware that hijacks processes, demonstrating the evolving complexity of cyber threats in the open-source ecosystem.
Analyzing the Malware's Modus Operandi: Discord Hijacking and Beyond:
The sync-axios package is a seemingly benign package with a deceptive name & structured with several JavaScript files. This structure at first glance might not raise suspicions. However, its functionality extends far beyond what its title suggests, engaging in illicit file system operations, process manipulations, and unauthorized modifications to Discord files and webhook configurations. It stealthily monitors Discord activity, posing a significant threat to user privacy and security.
Unraveling the Code:
The package comprises several functions, each tailored for specific operations. Let's break down these functions and understand their roles:
The primary role of lib/asar/fetcher/functions/dirs.js is to interact with the file system. It contains functions to scan directories (dirs), generate random IDs (id), and a basic encoding function (encode). It uses fs.readdirSync to synchronously read the contents of the directory specified by process.env.localappdata, which is an environment variable pointing to the local application data folder on the user's machine. It then filters out files and directories that include the string "iscord" (matching directories like "Discord", "discord", etc.) and maps each filtered item to its full path using path.join.
In lib/asar/fetcher/functions/exec/index.js, the function killAll employs child_process's exec method to terminate and restart specific processes. It focuses on various Discord executable processes (e.g., Discord.exe, DiscordCanary.exe), forcefully stopping them and then initiating a restart. It kills the task and then uses the Update executable in the application's local app data directory to restart it. This is a clear indicator of process hijacking, possibly to inject malicious code upon restart.
The main lib/asar/fetcher/index.js conducts a thorough scan for Discord's index.js files within the user's local application data. It reads directories and files, focusing on directories that contain "desktop_core" and excluding "node_modules". The script replaces the legitimate index.js with a malicious payload fetched and decoded from an external source, thereby injecting malicious code into the Discord app.
Also, within the index.js, the script extracts an encoded URL from the package.json file, decodes it from Base64, and then uses this URL in a fetch request. The URL is obtained from the id field in package.json. The script makes an HTTP request to the obtained URL and gets the response as text. It then looks for specific encoded strings in the response and replaces them with other values. The specific strings it searches for are encoded in Base64 and correspond to "%WEBHOOK%" and "%ID_REQUEST%" (after decoding). These are replaced with another URL (constructed by appending the n field from package.json to a base URL decoded from Base64) and a randomly generated ID (using the id function from dirs.js), respectively. After the replacement, the modified content is written back to certain files. The files targeted for modification are identified earlier in the script and stored in “I_PATHS”.
Furthermore, the “index.js” continues to tamper with BetterDiscord's configuration files (a popular Discord mod). It replaces the webhook URLs with a URL specified in the package's “package.json”, enabling the attacker to redirect webhook data. This represents a significant security threat as webhooks can be used to exfiltrate sensitive data or send unauthorized messages.
In subsequent versions, the package defines an asynchronous function named `main` that performs a series of file and process operations. Initially, it sets up a few path variables: one for an executable file (`get.exe`), one for the Windows Startup folder, and a target path for a renamed executable (`Discord.exe`). The code then renames `get.exe` to `Discord.exe` and places it in the Startup folder. This ensures that the renamed file will be executed when the computer starts. After the renaming, the script uses the `spawn` function to create a detached child process that runs `Discord.exe`. This child process is independent of the script's process, allowing it to continue running even after the script has finished. The script's process is then terminated using `process.exit()`.
Upon analyzing in a sandbox environment, the processes initiated by "get.exe" reveal that it is initiating multiple instances of a file named "Discord Updater.exe" located in a subdirectory of Temp. These instances of "Discord Updater.exe" are launched with various command-line arguments that specify different types of operations.
The first instance is running as a GPU process, configured with specific GPU preferences and user data directory paths. It's part of a set of operations to manage graphics processing, likely for rendering purposes. The second instance is launched as a utility process, specifically for network services. It also specifies language settings, sandbox type for the service, and user data directory paths, indicating its role in network-related operations. The third instance, similar to the first, is again a GPU process with a focus on using specific graphics libraries (ANGLE, SwiftShader) for rendering, suggesting its use in graphics-intensive tasks.
The Discord Injection: An Alarming Proof of Concept:
The GitHub repository hosting the script showcases a Proof of Concept (PoC) called "Discord Injection", which is designed to demonstrate the interception of HTTP requests within the Discord application. This PoC highlights potential vulnerabilities in Discord by showcasing how critical actions can be intercepted. The key features of this PoC include:
- Interception of Sensitive Actions: It can intercept various important user actions within Discord, such as login, registration, two-factor authentication (2FA) logins, email and password change requests, and the addition of credit card or PayPal information.
- Automatic Logout and Security Measures: Once the injection is performed, it automatically logs out the user from Discord. It also includes measures to prevent QR Code logins and blocks requests to view connected devices on the account.
- Data Redirection: The intercepted data is sent to a specified Discord webhook, allowing the person who set up the injection to receive the sensitive information.
- Installation Process: The repository provides a detailed guide on how to install this injection script into the Discord desktop application. It involves closing Discord, copying the injection code into a specific directory within the Discord installation path, replacing a placeholder with a Discord webhook URL, and then restarting Discord.
Revealing the Purpose:
The script obtained from the URL appears to be a JavaScript module designed for use with Electron, a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. This script seems to be specifically targeted at modifying the Discord desktop application. Here's a breakdown of its functionality:
- Importing Modules and Setting Variables: The script begins by importing necessary modules from Electron and Node.js, such as BrowserWindow, session, execSync, parse, path, and fs. It also initializes several variables, including scripts and URLs used later in the code.
- Function Definitions: Several functions are defined:
- send(e, d): This function appears to send data to a specified URL using a POST request. It's designed to work within the context of a BrowserWindow in Electron.
- cruise(a, b, c, d): A complex function that gathers system information (like OS version, CPU, GPU, etc.) and sends this data, along with user-specific information (like IP address and tokens), to a remote server based on different events (like user login, email change, etc.). - Discord Path Detection: The script tries to locate the installation path of the Discord application. It does this differently based on the operating system (Windows or macOS).
- Update Checking and Injection: The updateCheck function is particularly concerning. It checks for the presence of certain files in the Discord installation directory and writes or overwrites files there. This includes downloading and executing a script from a GitHub URL, which is injected into the Discord application. This is a red flag as it indicates potentially malicious behavior, specifically targeting Discord's files and functionality.
- Modifying Web Requests: The script alters the behavior of web requests made by the Discord application. This includes:
- Intercepting and potentially blocking certain outgoing requests.
- Modifying response headers to remove security policies.
- Intercepting specific API endpoints related to user data and authentication. - Potentially Malicious Activities: Various parts of the script suggest it may be used for malicious purposes:
- The script can log out users from Discord.
- It attempts to intercept and handle user data, which could include sensitive information.
- It modifies the Discord client by injecting external code, which is a common tactic in malware and hacking tools. - Data Harvesting and Transmission: The script is capable of collecting detailed information about the user's machine and Discord account and then transmitting this data to a remote server.
In summary, the script is a sophisticated piece of malware targeting Discord users. It injects malicious code into the Discord application, collects a wide array of sensitive data from the user's machine, and communicates this data to a remote server. The script also attempts to modify Discord's files for persistence and intercepts network requests to manipulate or disable security measures.
Implications and Conclusions: The Wider Impact of 'sync-axios'
The script contained within sync-axios was designed to download and execute additional code from a remote server. This behavior is a classic example of a supply chain attack, where the attackers target software components that are regularly integrated into other software products. The downloaded code had the potential to perform a range of malicious activities, from stealing sensitive information to installing further malware.
This incident highlights the critical importance of vetting third-party dependencies in software development. The reliance on open-source packages, while beneficial for accelerating development, also introduces risks that need to be actively managed. Developers and organizations must implement stringent security measures, such as regular audits of third-party packages and the use of automated tools to scan for vulnerabilities and suspicious activities. Furthermore, this case serves as a reminder of the evolving landscape of cyber threats, where supply chain attacks are becoming increasingly sophisticated and harder to detect.
In conclusion, the sync-axios incident underlines the need for heightened awareness and proactive security measures in the open-source ecosystem. It is a call to action for developers, security teams, and organizations to collaborate and fortify their defenses against such insidious threats lurking in the shadows of trusted repositories.
Strengthening Defenses: Lessons Learned
To combat such threats, developers and organizations must adopt rigorous security measures. This includes regular code audits, using trusted repositories, and implementing automated security tools.
Final Thoughts: A Call to Action for Enhanced Open-Source Security
The 'sync-axios' saga is a wake-up call for the open-source community. It underscores the need for enhanced security practices and collaborative efforts to safeguard the software ecosystem.
MITRE ATT&CK Framework
sync-axios Releases:
IOCs
https://raw[.]githubusercontent[.]com/k4itrun/discord-injection/main/injection.js https://aurita[.]onrender[.]com/request/ https://discord[.]com/api/webhooks/1193233847895212032/6i7RYIz7lgt_an6FYoPOZwwM0Z7QBHSdixhTT_b-8SHsrwgoEMy3eBTK4oqTfupjzqni
Author – Ankur Acharjee (Security Researcher)