lswcap
UAParser.js, which is released as an npm package management tool, is a JavaScript library that executes user agent judgment processing, and has been adopted by more than 1,000 projects, including giant corporations such as Facebook, Microsoft, Amazon, and Google. It is said that UAParser.js was hijacked by hackers and planted a Trojan horse that targets Linux and Windows devices to mine cryptographic assets and steal passwords.
UAParser.js is a library used to identify browser types, rendering engines, operating systems, and CPU device types and models by analyzing user agent strings for users who visit the website. Because of its usefulness, it is used in many projects, including Facebook, Microsoft, Amazon, Google, Instagram, Slack, Mozilla, Discord, and many others, and is so popular that it is downloaded millions of times a week. According to reports, the number of downloads in October 2021 will exceed 24 million as of October 23rd.
However, in the new version of UAParser.js distributed on npm on October 22, it was found that a Trojan horse that installs malicious codes on downloaded Linux and Windows devices was found. Developer Faisal Salman apologized in the bug report and realized something had changed after a flood of spam emails from hundreds of websites. They said that they seem to have released 0.8.0,1.0.0. It added that it installs malicious code, as can be seen from the difference from the previous version.
When a hacker installs the compromised UAParser.js, the preinstall.js script checks the type of operating system used on the device and executes a Linux shell script or a Windows batch file accordingly. If the device is Linux, the preinstall.sh script is executed to check whether the user is in Russia, Ukraine, Belarus, or Kazakhstan and executes the jsextension program. The jsextension program installs XMRig, a tool for mining the crypto asset Monero, and uses only 50% of the CPU that is difficult to detect from users to mine Monero.
If the device is Windows, in addition to saving XMRig as jsextension.exe, download the batch file sdd.dll and save it as create.dll. It is a Trojan horse that tries to steal the password stored in the downloaded DLL, and it is probably DanaBot. When a DLL is loaded, programs such as message applications, browsers, FTP clients, VNC game applications, and Windows Credential Manager have also been reported to steal passwords.
It is assumed that the hacker who performed this attack is the same as the hacker who performed similar attacks on other npm libraries. The developer released a clean UAParser.js version 0.7.30,0.8.1,1.0.1 that fixed the problem a few hours after learning about the npm account hack. Currently, the defective packages 0.7.29, 0.8.
The report points out that the impact of a supply chain attack via UAParser.js is widespread and that all users should make sure that their projects do not contain malicious versions. If there is jsextension and jsextension.exe, remove them, and for Windows users, you need to quickly remove create.dll.
In addition, it is thought that only Windows users are infected with the password-stealing Trojan, but it is wise for Linux users to assume that their devices are also at risk. The advice is that all Windows and Linux users infected with Trojans will need to change their passwords and tokens. Related information can be found here.
Add comment