Malicious Npm Package “Oscompatible” Deploys Remote Access Trojan And Anydesk

A recent discovery has unveiled a malicious npm package, “oscompatible,” that is responsible for distributing a sophisticated remote access trojan on compromised Windows systems. This malicious package was made public on January 9, 2024, and managed to attract 380 downloads before being removed from the npm registry.

Within the “oscompatible” package, software supply chain security firm Phylum identified several unusual components. These components included a single executable file, a dynamic-link library (DLL), an encrypted DAT file, and a JavaScript file (“index.js”).

The JavaScript file, “index.js,” executes an “autorun.bat” batch script but only after conducting a compatibility check to verify if the target machine operates on the Microsoft Windows platform. If the platform is not Windows, it displays an error message, indicating that the script is intended for use on “Windows Server OS.”

The batch script, when executed, checks for admin privileges. If it lacks these privileges, it runs a legitimate Microsoft Edge component called “cookie_exporter.exe” through a PowerShell command. Attempting to execute this binary prompts a User Account Control (UAC) prompt requesting administrator credentials.

Subsequently, the threat actor advances the attack by running the DLL (“msedge.dll”) using a technique known as DLL search order hijacking. The trojanized version of the library decrypts the DAT file (“msedge.dat”) and initiates another DLL named “msedgedat.dll.” This DLL establishes connections with a domain controlled by the actor, “kdark1[.]com,” to retrieve a ZIP archive.

The ZIP file includes the AnyDesk remote desktop software and a remote access trojan (“verify.dll”). This trojan is capable of receiving instructions from a command-and-control (C2) server via WebSockets and collecting sensitive data from the compromised host. It also performs various actions such as installing Chrome extensions to Secure Preferences, configuring AnyDesk, concealing the screen, disabling Windows shutdown, and capturing keyboard and mouse events, as reported by Phylum.

While “oscompatible” appears to be the sole npm module employed in this campaign, it underscores the growing trend of threat actors targeting open-source software (OSS) ecosystems for supply chain attacks. Phylum noted that the binary operations, including data decryption, the use of a revoked certificate for signing, fetching files from remote sources, and masquerading as a standard Windows update process, demonstrate a relatively sophisticated approach compared to typical OSS ecosystem attacks.

This revelation coincides with a report by cloud security firm Aqua, which revealed that 21.2% of the top 50,000 most downloaded npm packages are deprecated, posing security risks to users. These deprecated packages are estimated to be downloaded a staggering 2.1 billion times weekly. This concerning situation is exacerbated when maintainers opt to deprecate affected packages instead of addressing security vulnerabilities with patches or CVE assignments, potentially leaving users unaware of potential threats.