Quick Review of the “Flat map-stream” attack

THE SOCIAL ENGINEERING ATTACK

Recently, a malicious attacker socially engineered a developer and had acquired legitimate access to a popular JavaScript library and has inserted malware code that procures digital currency stowed away in certain particular digital wallets. The “ownership” of the package was mutually transferred to an unknown developer called “right9ctrl.” An npm package that has been downloaded 2 million times and is implemented by small start-ups and even Fortune 500 companies.

This attack started out as a social engineering attack. The attacker, posing as a maintainer, took over to maintain the event-stream module. This developer, “Right9ctrl” was able to develop the trust to gain access and ultimately acquire ownership by providing several contributions to the overall package.  After eventually gaining full access to the source code he began his malicious intent.

THE CODE ATTACK

The attacker began his malware journey in a two-step process in modifying event-stream. First, the version released for public consumption in September had been updated with a futile module known as “flat map-stream.” The malicious developer curated “event-stream” to hinge on the malicious code, “flat map-stream.” This section was precisely fashioned for the purposes of this attack. That bundle comprises a fairly meek index.js file, with the inclusion of a minified index.min.js file. The compound files on GitHub seem blameless enough. In the Second step, the user implemented an update in “flat map-stream” to include the payload that attempted to rob cryptocurrency wallets and send the balances to a server in Malaysia.

It zeroed in on a specific wallet to affect, Co-pay. This is a secure bitcoin wallet app for desktop and mobile apparatuses. This is known since the malevolent suite explicitly targets that application because the obscured code reads the “description” field from a project’s “package. Son file,” then implements that description to decrypt an AES256 encrypted payload. At the onset of the code, the strings become decrypted implementing data from the consuming package. If it hits a dud, it would error out, but the mistake would be situated and disregarded.

MITIGATION/PREVENTION MEASURES

It may well be enticing to bank on tools which scan npm packages by means of static analysis. This specific attack encrypts the malicious source code to avoid detection. To protect against such an attack a different approach or approaches must be implemented.

First, the developers in the open source market must be aware of who they are handing over duties too. It is common practice to hand over source code as that is the nature of the coding culture. However, this needs to be addressed to provide some form of a security measure to make sure this social engineering attack is mitigated.

Second, JavaScript is prone to this kind of attack. One approach you may do to help defend it from routinely attacking you is implemented a “lock file” so you’re not robotically installing the latest updates without even noticing it. Unfortunately, this also means you might not be up to date with the latest remedies for security vulnerabilities, so you will eventually have to do some risk assessment on your part.

Of course, this was eventually a foreseen security flaw. The “event-stream” attack won’t be the last, and it’s likely right now there are other bits of malicious code in wide use in existing npm packages/open-source code that has not been detected.

About the Author

Joe Guerra, M.Ed, CySA+, C|EH, Cybersecurity Instructor, Hallmark University. Joe Guerra is a cybersecurity/computer programming instructor at Hallmark University. He has 12 years of teaching/training experience in software and information technology development. Joe has been involved in teaching information systems security and secure software development towards industry certifications. Initially, Joe was a software developer working in Java, PHP, and Python projects. He is constantly researching attack techniques, forensic investigations, and malware analysis. He is focused on training the new generation of cyber first responders at Hallmark University.