05/18/2023-05/24/2023 PyPI Repository Under Attack, NPM Packages for Node.js Hiding Dangerous TurkoRat Malware, Malicious Windows Kernel Drivers And More

1. PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

The maintainers of Python Package Index (PyPI) have temporarily disabled the ability for users to sign up and upload new packages until further notice. No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.

2. npm Packages Caught Serving TurkoRAT Binaries That Mimic NodeJS

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.
These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.
Software security firm ReversingLabs analyzed three npm packages that were present on the npmjs.com registry for over two months. 

Initially appearing legitimate, the package named nodejs-encrypt-agent raised concerns due to discrepancies. Further investigation by ReversingLabs revealed that the package contained a malicious portable executable (PE) file named ‘lib.exe.’ Despite its large size of approximately 100 MB, the file closely resembled a real NodeJS application, making it difficult to detect. The PE file was found to run a customizable infostealer called TurkoRAT, designed to steal sensitive information such as login credentials and crypto wallets, while evading sandbox environments and debuggers. Another package, nodejs-cookie-proxy-agent, disguised the malicious executable as a dependency named axios-proxy. ReversingLabs detected and reported these malicious packages, emphasizing the ongoing risk of unvetted open source packages to software supply chain security.

3. Privacy Sandbox Initiative: Google to Phase Out Third-Party Cookies Starting 2024

Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024. This will support developers in conducting real world experiments that assess the readiness and effectiveness of their products without third-party cookies. Prior to rolling this out, Google said it would introduce the ability for third-party developers to simulate the process for a configurable subset of their users (up to 10%) in Q4 2023. Privacy Sandbox is a two-pronged project for the web and Android that aims to limit covert tracking by eliminating the need for third-party cookies and cross-app identifiers and still serving relevant content and ads in a privacy-preserving manner.

4. Malicious Windows Kernel Drivers Used In BlackCat Ransomware Attacks

BlackCat employed signed malicious Windows kernel drivers to evade security software detection during attacks. The driver, an improved version of the ‘POORTRY’ malware, was spotted by Trend Micro and previously identified by Microsoft, Mandiant, Sophos, and SentinelOne in ransomware attacks. POORTRY, a Windows kernel driver, was signed using stolen keys from legitimate accounts in Microsoft’s Windows Hardware Developer Program. While security software is typically protected from termination or tampering, Windows kernel drivers have the highest privileges and can terminate nearly any process. The ransomware actors initially used the Microsoft-signed POORTRY driver, but its high detection rates and revoked code-signing keys prompted them to deploy an updated version. The updated POORTRY kernel driver, signed using a stolen or leaked cross-signing certificate, helps the BlackCat ransomware operation elevate privileges on compromised machines and terminate security-related processes.

5. KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month. The vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory. This leads to a scenario whereby an attacker could dump the program’s memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

6. Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

UNC3944, a financially motivated cyber actor also known as Roasted 0ktapus, has been exploiting Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools. This unique attack method evades traditional detection methods in Azure, granting the attacker full administrative access to compromised VMs. UNC3944, which emerged last year, utilizes SIM swapping attacks to breach telecommunications and business process outsourcing companies. Mandiant, owned by Google, discovered UNC3944 using a loader named STONESTOP to install a malicious signed driver called POORTRY. This driver terminates security processes and deletes files as part of a BYOVD attack. The initial access likely involves SMS phishing messages targeting privileged users to obtain their credentials and perform a SIM swap. With elevated access, UNC3944 leverages Azure VM extensions and the serial console to gain administrative control. PowerShell is used to deploy legitimate remote administration tools, demonstrating the use of living-off-the-land techniques to evade detection and advance the attack.