- Laba xirmo oo npm ah, 'colortoolsv2' iyo 'mimelib2', ayaa C2 ku jiheeyay qandaraas smart Ethereum si ay uga baxsadaan ogaanshaha.
- GitHub-ganacsiga been abuurka ah wuxuu dib u soo celiyaa aaminaadda la buunbuuniyay ee leh ballan-qaadyo iyo xisaabaadyo la sameeyay ka hor inta aan lagu darin ku-tiirsanaanta xaasidnimada ah.
- Isla qandaraaska silsiladda (0x1f171a1b07c108eae05a5bcbe86922d66227e2b) waxa la keenay URL-yada heerka labaad.
- IoCs waxaa ku jira noocyo xirmo gaar ah iyo SHA1 hashes; kooxuhu waa inay la socdaan wicitaanada blockchain ee lama filaanka ah ee qoraalada rakibaadda.
ReversingLabs waxay calaamadaysay laba xirmo npm taas oo si aamusnaan ah u leexisay macquulnimada rakibaadda iyada oo loo marayo qandaraaska smart Ethereum, oo u rogaya blockchain dadweynaha oo ah hagaha qarsoon ee kaabayaasha amarka-iyo-xakamaynta (C2). Xirmooyinka, 'colortoolsv2' iyo 'mimelib2', ayaa loo soo bandhigay sida yutiilitida fudud iyadoo awood u siinaysa soo celinta culeyska heerka labaad.
Iyaga oo ka baxsanaya ciwaanka C2 qandaraas silsilad ku jirta, hawl-wadeenadu waxay ku duubeen taraafikada wax u eg waxqabadka blockchain ee caadiga ah, tallaabadaas oo waxay adkaynaysaa ogaanshaha taagan iyo sumcad ku salaysan. Qandaraaska 0x1f171a1b07c108eae05a5bccbe86922d66227e2b hawlo akhris ah oo kashifay oo soo celinaya URL oo rakibayaashu ay hadhow la xiriiri doonaan.
Laga soo bilaabo npm loader ilaa silsiladda C2
Gudaha 'colortoolsv2', khafiif ah index.js raraye u yeertay talis dibadda ah oo goobta aan si adag loo sugin gudaha. Taa baddalkeeda, waxay waydiisay qandaraaska smart Ethereum ee dhamaadka kaas oo u hagi lahaa martida loo yahay amarka-iyo-xakamaynta.
Sahamiyayaasha dadweynaha sida Etherscan ayaa muujinaya qandaraaska Soo bandhigida hawlo akhris fudud oo soo celinaya URL, iyadoo si wax ku ool ah u adeegsanaysa silsiladda tilmaame adkeysi u leh kaabayaasha weerarka. Sababtoo ah rajada kama dambaysta ah waxay ka timid wicitaanka blockchain, difaacayaashu ma arkaan domain taagan oo lagu dubay xirmada npm.
Ka dib helitaankeedii, 'colortoolsv2' waxay ahayd la xannibay npm 7-da Luulyo. Wax yar ka dib, hawl-wadeenadu waxay daabaceen 'mimelib2', kaas oo dib u isticmaalay caqli-gal isku mid ah iyo isla qandaraas caqli-gal ah si uu u gudbiyo marxaladda labaad, marka loo eego falanqaynta.
Marka la dilo, xamuulka ayaa soo qaatay a qaybta heerka labaad xashiishkiisa ay daabaceen cilmi baarayaashu (SHA1: 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21). Jihadani waxay u ogolaataa weeraryahanadu inay u wareegaan meelaha ay rabaan iyagoo tafatiraya xogta silsiladda ku jirta halkii ay dib u buuxin lahaayeen koodka.
Ciyaarta kalsoonida GitHub si loo qariyo ku tiirsanaanta xaasidnimada ah
ReversingLabs waxay sidoo kale raad raacday shabakad mashruucyo faux GitHub ah oo loo soo bandhigay sida bots ganacsiga crypto, oo ay ku dhammaystiran yihiin kumanaan ballanqaad, dhawrayaal badan, xiddigo iyo ilaaliyeyaal. Goobaha kaydka ah sida 'solana-trading-bot-v2' waxay u muuqdeen kuwo firfircoon laakiin hawsha inteeda badan waxay ahayd mid toos ah.
Qaar badan ayaa geysta faylal aan macno lahayn oo la jeexjeexay (tusaale ahaan, tafatirrada LICENSE ee soo noqnoqda), halka ay kooxo badan yihiin akoonno u eg oo la sameeyay 10-kii Luulyo ma haynin wax dhab ah -qaar ka mid ah faylasha README waxay yiraahdeen kaliya 'Hello'. Magacyada isticmaaleyaasha oo ay ku jiraan 'slunfuedrac', 'cnaovalles' iyo 'pastimerles' ayaa si joogto ah u soo muuqday, iyagoo sare u qaadaya calaamadaha sharcinimada.
Kala duwanaanshuhu wuxuu muujiyay ku-tiirsanaanta xaasidnimada leh ee lagu daray koodka ganacsiga-bot (tusaale, gudaha bot.ts iyo soo dejinta src/index.ts), marka hore iyada oo loo sii marayo 'colortoolsv2' ka dibna iyada oo loo marayo 'mimelib2'. Ururkaasi waxa uu noqday mid aad uga yar caddaymaha dib u eegista caadiga ah iyada oo ay jirto taariikhda buuqa badan.
Iyadoo la abuurayo npm iyo GitHub si wadajir ah, jilayaasha calaamadaha kalsoonida dhaqameed ee mugdiga ah, samaynta ku-tiirsanaanta dahsoon oo isku milmay mashruuc u muuqday mid firfircoon, si wanaagsan loo dayactiray oo bulshadu ay taageertay.
IoCs, baaxadda iyo waxa difaacayaashu ay tahay inay daawadaan
ReversingLabs ayaa daabacday kuwa soo socda tilmaamayaasha tanaasulka (IoCs) ku xidhan ololahan:
- xirmooyinka npm: colortoolsv2 1.0.0 (SHA1 678c20775ff86b014ae8d9869ce5c41ee06b6215), 1.0.1 (1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b), 1.0.2 (db86351f938a55756061e9b1f4469ff2699e9e27)
- xirmo npm: mimelib2 1.0.0 (bda31e9022f5994385c26bd8a451acf0cd0b36da), 1.0.1 (c5488b605cf3e9e9ef35da407ea848cf0326fdea)
- Marxaladda labaad: SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21
- Qandaraaska casriga ah: 0x1f171a1b07c108eae05a5bccbe86922d66227e2b
Habkani waxa uu ku nuuxnuuxsaday xadgudubka kahor ee martigelinta la aamini karo sida Gists ama kaydinta daruuraha, laakiin Silsilad-ku-socodku waxay wiiqaysaa xannibaadyada taagan iyo hubinta ilaha fudud. Goobta C2 waxaa lagu beddeli karaa qandaraaska iyada oo aan la taaban xirmada, iyo taraafikada blockchain waxaa loo akhriyi karaa si caadi ah jawiga crypto-ku dhow.
Tallaabooyinka wax ku oolka ah waxaa ka mid ah dib u eegista ku-tiirsanaanta ka baxsan xiddigaha iyo ballan-qaadyada, la socodka wicitaanada blockchain ee RPC ee lama filaanka ah inta lagu guda jiro rakibidda/dhisidda wejiyada, ansixinta URL kasta oo runtime-la xalliyo, iyo ku dhejinta noocyada-wanaagsan ee hubinta daacadnimada. Kooxaha ammaanku waa inay sidoo kale ugaarsadaan bakhaarrada ay hawshooda si macmal ah u buufisay falal aan fududayn, oo toos ah.
Kiisku wuxuu muujinayaa sida Heshiisyada smart Ethereum waa la soo celin karaa Sida tilmaamayaasha adkeysi leh ee qaybinta malware-ka ee nidaamka deegaanka npm, halka waxqabadka GitHub uu qarinayo ku-tiirsanaanta xaasidnimo ee aragga cad; ka warqabka isku dhafkan u dhexeeya ilaha furan iyo kaabayaasha silsiladda ayaa hadda lama huraan u ah horumarinta iyo difaaca ganacsiga.
