CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 724
- Points
- 113
Open source hacking tools are increasingly being used in real-world attacks.
Researchers from ReversingLabs discovered a malicious package containing a Trojan for Discord with rootkit functionality in the npm service. Dubbed "DiscordRAT 2.0", this malicious program code is a ready-made hacking tool that is ideal for novice hackers.
The fake node-hide-console-windows package uploaded to the repository on August 25 is named so as to resemble the legitimate node-hide-console-window package. The difference is only one letter.
It is noteworthy that the malicious doppelganger was downloaded about 700 times in the same period of time that the original package was downloaded about 300 times. The malicious package has already been removed from the platform.
Researchers from ReversingLabs said that the package, when executed, loaded a Discord bot that contributed to the introduction of "r77", an open source rootkit that is freely distributed on GitHub.
"r77" is quite often used in real malware campaigns. Many attackers use it as one of the links in their attack chains to spread the SeroXen Trojan, as well as cryptocurrency miners. ReversingLabs experts believe that this trend indicates that open source projects can increasingly be considered as a way to distribute malware.
Returning to the company in question, the malicious code itself was contained in the " index.js" inside a malicious package. When executed, the code extracted an executable file with autorun, which is an open source Trojan based on C#, known as DiscordRAT 2.0 . It is also freely available on GitHub as a tool with features for remote management of the victim host via Discord. The tool supports more than 40 commands that make it easier to collect sensitive data by disabling antivirus software.
Ashley Bengi of ReversingLabs noted that many hacking tools that are publicly available ostensibly for "educational purposes" eventually become sophisticated tools for real attacks in the hands of even inexperienced attackers. Detractors do not even need to go to the darknet to download and use such tools, because everything is available on GitHub, completely free, and even with detailed instructions.
Thus, the example of a malicious package in npm shows that open source hacking tools pose a real threat. Attackers do not need to use popular open source projects like DiscordRAT 2.0 and r77 in their attacks. These tools are easily accessible on platforms like GitHub and can be a dangerous weapon even in the hands of inexperienced hackers.
To counteract such threats, it is necessary to increase the requirements for checking packages in open repositories for developers, as well as to encourage the creators of those very freely distributed hacker tools to take a more responsible approach in providing access to their potentially dangerous programs.
Researchers from ReversingLabs discovered a malicious package containing a Trojan for Discord with rootkit functionality in the npm service. Dubbed "DiscordRAT 2.0", this malicious program code is a ready-made hacking tool that is ideal for novice hackers.
The fake node-hide-console-windows package uploaded to the repository on August 25 is named so as to resemble the legitimate node-hide-console-window package. The difference is only one letter.
It is noteworthy that the malicious doppelganger was downloaded about 700 times in the same period of time that the original package was downloaded about 300 times. The malicious package has already been removed from the platform.
Researchers from ReversingLabs said that the package, when executed, loaded a Discord bot that contributed to the introduction of "r77", an open source rootkit that is freely distributed on GitHub.
"r77" is quite often used in real malware campaigns. Many attackers use it as one of the links in their attack chains to spread the SeroXen Trojan, as well as cryptocurrency miners. ReversingLabs experts believe that this trend indicates that open source projects can increasingly be considered as a way to distribute malware.
Returning to the company in question, the malicious code itself was contained in the " index.js" inside a malicious package. When executed, the code extracted an executable file with autorun, which is an open source Trojan based on C#, known as DiscordRAT 2.0 . It is also freely available on GitHub as a tool with features for remote management of the victim host via Discord. The tool supports more than 40 commands that make it easier to collect sensitive data by disabling antivirus software.
Ashley Bengi of ReversingLabs noted that many hacking tools that are publicly available ostensibly for "educational purposes" eventually become sophisticated tools for real attacks in the hands of even inexperienced attackers. Detractors do not even need to go to the darknet to download and use such tools, because everything is available on GitHub, completely free, and even with detailed instructions.
Thus, the example of a malicious package in npm shows that open source hacking tools pose a real threat. Attackers do not need to use popular open source projects like DiscordRAT 2.0 and r77 in their attacks. These tools are easily accessible on platforms like GitHub and can be a dangerous weapon even in the hands of inexperienced hackers.
To counteract such threats, it is necessary to increase the requirements for checking packages in open repositories for developers, as well as to encourage the creators of those very freely distributed hacker tools to take a more responsible approach in providing access to their potentially dangerous programs.
