Hidden XMRig miner malware discovered in hijacked versions of popular ua-parser-js npm library
Hi all, very sorry about this. [..] I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware [..]
Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
Windows devices are the main target, as the malware (possibly the DanaBot8 banking trojan) also executes additional instructions in an attempt to steal user passwords stored on the machine.
Targeted programs include Firefox, Safari, Outlook, Thunderbird, Opera, Chrome, VPN accounts, Windows Live Mail, Pidgin, several poker clients, the Windows credential manager and other applications9.
On Linux devices, the
preinstall.sh script will download and run the
jsextension which contains the XMRig Monero miner. It doesn’t attempt to steal any passwords.
All Linux machines that are located in: Russia, Ukraine, Belarus, Kazakhstan are spared, for some odd reason.
Other OS’s are not targeted by the malware.
From my analysis/research, here are some things you can do right now:
A. Check to see if the malicious process is currently running on your machine
- On Linux, you can just run
pgrep jsextensionin a terminal.
It should return nothing if it is not running.
If you get a hit, just kill it using
kill [PID] (replace PID with the actual process ID).
- On Windows you should see a process named
jsextension.exein the running tasks list. Terminate it.
B. Remove and upgrade package
- Linux users:
0.7.29 affected, upgrade ^ to
0.8.0 affected, upgrade ^ to
1.0.0 affected, upgrade ^ to
- Windows users:
Also scan your device for a
create.dll file and delete it.
C. Change passwords and keys
Even if the package was removed from the machine, that does not automatically guarantee that all malicious software resulting from installing it was removed.
Thus, all affected users should treat the device as fully compromised and thus take steps to rotate secret keys and change passwords.
Due to the similar modus operandi, this attack can be linked to previous infections of npm packages discovered by Sonatype researchers recently10.
As nathanawmk commented11 on Github, a post mortem would be helpful for everyone going forward:
How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again.
Keep an eye on !5367 for updates.
jsextension: https://www.virustotal.com/gui/file/ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e/details, jsextension.exe: https://www.virustotal.com/gui/file/7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5, sdd.dll: https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd ↩