This week, the Sonatype Security Research team has identified a series of counterfeit components in the npm ecosystem. These intentionally malicious packages seem to be doing similar, shady things to the malicious “fallguys” npm package discovered in September (those were stealing web browser files and Discord gaming IMs).
The new packages in question were published by the same npm author whose npm account also contains what look like legitimate packages with genuine use cases:
How were these counterfeit components identified?
Our automated malware detection system called release integrity flagged a suspicious package, “wsbd.js” for potentially malicious behaviour.
However, on looking deeper into “wsbd.js,” I couldn’t help but look into its author. I realized the author had published 10 other npm packages and I then began analyzing each one of them. While most packages published by the author exhibited no obvious signs of malicious behaviour, “wsbd.js” and the 3 others stood out.
What is discord.dll?
The discord.dll is an npm component which conducts sinister activities that are hard to spot upfront. It also uses the legitimate Discord.js npm dependency to potentially distract researchers from its otherwise nefarious activities.
The package comprises just one version 1.0.0, which has been sitting on npm downloads for over 5 months.
What makes the package difficult to analyze is that it consists of multiple files, almost all of which are heavily obfuscated and have base64-encoded strings everywhere.
In essence, discord.dll is a successor to the previously detected fallguys package.
Starting with the manifest file in Discord.dll, package.json, some interesting details come to light.
The package.json manifest file of discord.dll
The GitHub repository links throw 404 Not Found errors.
Notice how the name of the GitHub project listed is “JSTokenGrabber” rather than “Discord.dll” touted by the npm component.
On analyzing the author’s GitHub repository, we found it contained completely different packages than what existed on the author’s npm portfolio.
This indicates a few possibilities:
- Either the package.json metadata is fake, and the npm author publishing malicious components has no association with the GitHub author of similar name, linked to their npm account.
- The same author is behind both GitHub and npm repositories, but malicious projects like “JSTokenGrabber” (Discord.dll) have private visibility on their GitHub repository.
- The author’s npm and/or GitHub accounts were compromised at some point in time and malicious packages were added by threat actors, in addition to some quasi-legitimate packages the author has posted on npm.
GitHub is rampant with projects that identify themselves as Discord token stealer, malware, and grabber, so this hints to what could Discord.dll be actually up to.
What does discord.dll do?
As soon as it is installed, Discord.dll fires up a postinstall script that opens “app.js”.
Now “app.js” is obfuscated and has base64-encoded strings as shown below:
Deobfuscating and reformatting “app.js” reveals NodeJS code which is a tad easier on the eyes. The code has references to Discord, webhooks, setting and getting cookies, “sending” data, Discord tokens, and web browser files.
Real clues, however, are deduced from the base64 strings contained within the application.One of the base64 strings is a URL to the notorious Anonymous logo but that hardly speaks to Discord.dll’s truly malicious nature
One of the base64 strings links to Anonymous logo
Other base64 strings are locations to where web browser files keep users’ roaming profiles and “leveldb” files.
The strings reveal the web browsers Discord.dll takes interest in are Opera, Yandex, Brave and Google Chrome.
This is when suspicions arise that this package is attempting to do what “fallguys” was doing: exfiltrate Discord and web browser’s “leveldb” files.
Additionally, there are references in the package that collect data such as your IP address, “PC username,” “discordcanary” files, etc.
Analyzing 7 other obfuscated JS files that the package contains, Discord.dll’s purpose becomes more clear.
Deobfuscating the “Webhook.js” file tells us counterfeit Discord.dll sends the collected data to a webhook address using the real discord.js library it uses as a dependency:
At the time of writing, the webhook seems no longer in use.
Unlike the previously seen “fallguys” package which had a much simpler structure, Discord.dll contains multiple obfuscated JS files that would take a much longer time to analyze, making it all very elusive.
What about the other 3 packages?
The other 3 suspicious packages found on the same author’s npm page, launch mysterious EXE files contained within as soon as these are installed.
These bundled EXEs are known to be malware, according to VirusTotal.
The “app.js” files contained in these remaining 3 packages had just one line of code, such as:
However, an npm package called “Discord.app” with no other details which, upon install, fires a postinstall script launching a mysterious dropper.exe would ring anyone’s alarm bells.
Out of caution, the Sonatype Security Research team has added the three packages, discord.app, wsbd.js, ac-addon to our security data as sonatype-2020-1096.
The complex “fallguys” successor, Discord.dll has been assigned its own identifier, sonatype-2020-1097.
In our recent state of the software supply chain report, we documented a 430% increase in malicious code injection within OSS projects - or next-gen software supply chain attacks, and this isn’t the first time we have seen attacks including counterfeit components.
Discovery of yet another counterfeit component Discord.dll, especially after “fallguys” malware had already made headlines, speaks to the damage that is possible to your software supply chain if adequate protections are not in place.
Specs, stats and timeline
Some interesting specifications and statistics about these packages are provided below:
- discord.dll: published 5 months ago. 100 downloads.
- discord.app: published 5 months ago. 88 downloads.
- wsbd.js: published 21 hours ago. 38 downloads.
- ac-addon: published 14 days ago. 46 downloads.
Sonatype’s timeline related to the malicious package’s discovery and reporting is as follows:
- November 9th, 2020: Suspicious package `wsbd.js` is picked up by automated malware detection bots which was published a few hours ago at the time of writing. While manually analyzing the package, 3 other packages that seem suspicious are revealed lurking in the author’s npm portfolio.
Although next generation Nexus Intelligence automatically blocks suspicious components via quarantine, our Security Research team immediately adds the packages to our data assigning them identifiers: sonatype-2020-1096, sonatype-2020-1097.
- November 9th, 2020: npm team notified same day of malicious packages, and public disclosure via blog post.
Our reason for the public disclosure centers on the fact that the packages are already live on NPM and have secured hundreds of downloads in real-time. Those who install this package inadvertently are already at the risk of compromising their machines and software supply chains. Therefore, the standard vulnerability disclosure timelines would not apply in this case.
Based on the visibility we have, no Sonatype customers have downloaded this package and our customers remain protected against counterfeit components like “Discord.dll” and others.
Sonatype’s world-class open source intelligence, which includes our automated malware detection technology, safeguards your developers, customers, and software supply chains from infections like these.
If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Nexus Vulnerability Scanner to find out quickly.
Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press.