Npm packages caught serving TurkoRAT binaries that mimic NodeJS

By Akash
on 22-09-2023 05:41 AM

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.Researchers at software security firm ReversingLabs have analyzed three npm packages that lurked on the npmjs.com registry for over two months.”First published more than two months ago, nodejs-encrypt-agent appears at first glance to be a legitimate package,” state ReversingLabs researchers in their report.”However, discrepancies raised red flags with our researchers. Despite that, our first thought was still that this package couldn’t be malicious. If it were, it would surely have been noticed and removed by npm administrators.”Although nodejs-encrypt-agent didn’t initially sound alarms and even mirrored the functionality of legitimate packages like agent-base, there was more to it, the researchers discovered.”There was, however, a small, but very significant difference: the nodejs-encrypt-agent package contained a portable executable (PE) file that, when analyzed by ReversingLabs was found to be malicious,” write the researchers.The file closely resembles the real NodeJS application with regards to its PE headers and metadata, code and functionality. In fact, BleepingComputer observed, variants of ‘lib.exe’ executables present in certain versions of nodejs-encrypt-agent had a very low detection rate:The same also remains the case for the lib.exe specifically analyzed by ReversingLabs. VirusTotal analysis reveals how the executable mimics Node.js and contains identical metadata from the legitimate application.