Trojan package for remote access evades UAC to instill “oscompatible” in the NPM registry

On January 9, 2024, a Trojan package was uploaded to the NPM registry. The package successfully eluded UAC security. After 380 downloads on the server, it was finally destroyed. The Package was meant for remote access Trojan to gain access.

The Trojan called “Oscompatible” had some peculiar binaries encoded into it with an executable file, a DDL, and an encrypted DAT file. The JavaScript file was with these files. The file acted as a front cover for the injection.  The JavaScript file only runs on the Windows platform otherwise shows an error message. The batch that the file runs is “autorun.bat” specifically meant to run on Windows.

Then the batch checks for admin privileges and in case of no authority acts as a Microsoft Edge component (cookie_exporter.exe). In the next step, the batch performs a “msedge.dll” after hijacking the search order. DLL will completely take over the search order pathways.

The library decrypts the DAT file after creating a connection link with a stringed domain named "kdark1[.]com". This will get a ZIP file archive. In the third stage of attack “Anydesk” which is a remote access Trojan used for retrieving data and command-based instructions from a remote area, where a system acts as the command and control center. This is accomplished using web sockets. The Trojan is highly deceptive using Chrome extensions and doing the work off-screen. Plus it has total control over commands from input devices during the process.

In a description, the company stated how this is a different and more organized Trojan attack from other usual attacks. It reported, "From the binary side, the process of decrypting data, using a revoked certificate for signing, pulling other files from remote sources, and attempting to disguise itself as a standard Windows update process all along the way is relatively sophisticated compared to what we normally see in OSS ecosystems,".

This can be a big security risk as a total of 21.2% of downloaded npm packages are said to be disapproved which shows that a large number of users are at privacy risk.  With the huge number of downloads (more than two billion) it could have some dire consequences.

Security researchers Ilay Goldman and Yakir Kadkoda said "What makes this particularly concerning is that, at times, these maintainers do not officially mark the package as deprecated on npm, leaving a security gap for users who may remain unaware of potential threats”.

Security researchers have also pointed out this flaw in management and rectification as the issues are not being patched but packages are only getting disapproved which shows the lethargic nature of the company and the lack of concern in them.