Hidden XMRig miner malware discovered in hijacked versions of popular ua-parser-js npm library
A hidden XMRig1 miner malware2 was discovered to be embedded in recently hijacked versions of the popular ua-parser-js
3 npm package.
Faisal Salman4, the maintainer of the JS library, addressed the issue on Github5:
Hi all, very sorry about this. [..] I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware [..]
Github has labelled the vulnerability to be of critical severity6 and urged users to upgrade and follow updates on the issue7 as they unfold:
Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
Affected OS’s
Windows
Windows devices are the main target, as the malware (possibly the DanaBot8 banking trojan) also executes additional instructions in an attempt to steal user passwords stored on the machine.
Targeted programs include Firefox, Safari, Outlook, Thunderbird, Opera, Chrome, VPN accounts, Windows Live Mail, Pidgin, several poker clients, the Windows credential manager and other applications9.
Linux
On Linux devices, the preinstall.sh
script will download and run the jsextension
which contains the XMRig Monero miner. It doesn’t attempt to steal any passwords.
All Linux machines that are located in: Russia, Ukraine, Belarus, Kazakhstan are spared, for some odd reason.
Other OS’s are not targeted by the malware.
Mitigation
From my analysis/research, here are some things you can do right now:
A. Check to see if the malicious process is currently running on your machine
- On Linux, you can just run
pgrep jsextension
in a terminal.
It should return nothing if it is not running.
If you get a hit, just kill it using kill [PID]
(replace PID with the actual process ID).
- On Windows you should see a process named
jsextension.exe
in the running tasks list. Terminate it.
B. Remove and upgrade package
- Linux users:
0.7.29
affected, upgrade ^ to 0.7.30
patched
0.8.0
affected, upgrade ^ to 0.8.1
patched
1.0.0
affected, upgrade ^ to 1.0.1
patched
- Windows users:
Also scan your device for a create.dll
file and delete it.
C. Change passwords and keys
Even if the package was removed from the machine, that does not automatically guarantee that all malicious software resulting from installing it was removed.
Thus, all affected users should treat the device as fully compromised and thus take steps to rotate secret keys and change passwords.
Ending notes
Due to the similar modus operandi, this attack can be linked to previous infections of npm packages discovered by Sonatype researchers recently10.
As nathanawmk commented11 on Github, a post mortem would be helpful for everyone going forward:
How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again.
Keep an eye on !5367 for updates.
-
https://github.com/xmrig/xmrig ↩
-
jsextension: https://www.virustotal.com/gui/file/ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e/details, jsextension.exe: https://www.virustotal.com/gui/file/7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5, sdd.dll: https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd ↩
-
https://www.npmjs.com/package/ua-parser-js ↩
-
https://github.com/faisalman ↩
-
https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-949742904 ↩
-
https://github.com/advisories/GHSA-pjwm-rvh2-c87w ↩
-
https://blog.malwarebytes.com/detections/trojan-danabot/ ↩
-
https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/ ↩
-
https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices ↩
-
https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-950194906 ↩