- Xirmooyinka xaasidnimo ee npm colortoolsv2 iyo mimelib2 waxay ka keeneen URL-yada C2 ee qandaraaska smart Ethereum si ay uga baxsadaan ogaanshaha.
- Jihada silsiladda ku socota hawl-wadeenadu ha u rogaan meelaha ugu dambeeya iyaga oo aan dib u daabicin xirmooyinka; colortoolsv2 waxaa la saaray Julaay 7 ka hor inta aan la gelin mimelib2.
- Isku-dubarid GitHub riixis ah ayaa adeegsatay faux trading-bot repos, xiddigo la buunbuuniyay, iyo qoraallo loo sameeyay si loo qariyo ku tiirsanaanta xaasidnimada ah.
- IoCs waxaa ka mid ah noocyada xirmada, xashiishka SHA1, iyo qandaraaska 0x1f171a1b07c108eae05a5bccbe86922d66227e2b, oo lagu daray hagida difaacayaasha.
Jilayaasha hanjabaada waxay u jeesteen khiyaamo cusub: ku jiheynta kaabayaasha xaasidnimada iyada oo loo marayo a Heshiiska smart Ethereum si loo qariyo tilmaamaha-iyo-xakamaynta (C2). loo isticmaalo baakadaha npm. Sida laga soo xigtay ReversingLabs, laba baakadood-colortoolsv2 iyo mimelib2-si aamusnaan ah ayay u gaadheen blockchain si ay u soo ceshadaan URL-yada loogu talagalay culeyska mushaharka ee heerka labaad, ka leexinta hubinta joogtada ah ee raadisa domains adag.
Halkii laga faa'iidaysan lahaa cayayaanka Ethereum laftiisa, nidaamku wuxuu ka faa'iidaysanayaa shabakada sida a dadweynaha, lakabka jihooyinka adkeysi leh. Ka dib markii colortoolsv2 la xannibay npm Julaay 7, hawl wadeenadu waxay si dhakhso ah u wareegeen mimelib2 iyaga oo wata macquul isku mid ah, iyaga oo sii wada tixraaca isla qandaraaska silsilada ee talaabada xigta.
Laga soo bilaabo npm ku rakib ilaa silsilad-raadinta: sida leexashadu u shaqeyso
Gudaha colortoolsv2, xamuulka ugu yar (index.js) wuxuu u dhaqmay sidii soo diris wuxuu u yeedhay amar dibadeed oo uu bartilmaameedkiisa ka soo qaatay qandaraas caqli-gal ah halkii laga heli lahaa qoraal maxalli ah ama qaabayn taagan. Etherscan waxay ku tusinaysaa qandaraaska 0x1f171a1b07c108eae05a5bcbe86922d66227e2b, kuwaas oo hawlahooda akhrintu ay soo celiyeen URL loo isticmaalay si loo gaadho adeegga C2.
Tilmaamahan silsiladda ku xiran xannibaadda adag: difaacyadu si fudud uguma hallayn karin inay helaan ama liiska madow ka dhigaan bogga adag ee xirmada sababtoo ah meesha ugu dambaysa ee firfircoon waxay ku noolayd heshiis ay hawl-wadeenadu gacanta ku hayaan. Goobaha wareegtadu waxay kaliya u baahdeen in la cusboonaysiiyo kaydinta qandaraaska, aan dib loo daabicin artifact npm, iyo wixii ka dhashay taraafikada blockchain ayaa lagu dhex daray si sharci ah.
Marka la fuliyo inta lagu jiro rakibidda ama runtime, loaderku wuxuu soo celiyay a second-stage component (SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21), kaas oo wax ka qabanayay hawlaha daba-galka ah. Isku dayid habdhaqanka colortoolsv2, mimelib2 waxay dib u adeegsatay isla qandaraas isku ujeeddo leh wadooyin kood isku dhow.
ReversingLabs ayaa ku tilmaamay habka mid aan caadi ahayn nidaamka deegaanka npm: URL-yada xaasidnimada leh waxaa lagu martigaliyay qaab heshiis caqli gal ah, kuma jiraan adeegyada shabakada dhaqameed ee inta badan lagu arki jiray ololihii hore ee saadka (tusaale, kaydinta daruuraha ama xog-ururinta).
Qiiqa GitHub iyo muraayadaha: ganacsi been abuur ah-bot kayd ahaan dabool ahaan
Xirmooyinka npm uma muuqan meel gooni ah. Hawl-wadeenadu waxay istaageen shabakad mashruucyo GitHub ah oo loo soo bandhigay inay yihiin adeegyada ganacsiga crypto-kaydka sida solana-trading-bot-v2-kadibna ku xidhxidhay ku tiirsanaanta xaasidnimo. Kormeeraha caadiga ah, goobahani waxay u muuqdeen "nool", oo ay ku faanayaan kumanyaal waxqabad, dhawrayaal badan, xiddigo, iyo ilaaliyeyaal.
Fiirin dhow ayaa daaha ka qaaday in in badan oo ka mid ah hawshu ay ahayd mid qoraal ah oo dusha laga saaray, oo ay ku jiraan fayl shatiga soo noqnoqda iyo akoonnada cusub ee la sameeyay oo leh wax yar (qaar ayaa la sameeyay abbaaraha Luulyo 10 oo wata faylal README ugu yar sida "Hello"). Magacyada isticmaaleyaasha ee soo baxay waxay sameeyaan taariikho-ay ku jiraan slunfuedrac, cnaovalles, iyo pasttimerles-waxay si isdaba joog ah uga soo muuqdeen mashaariicda la diyaariyay.
Ballanqaadyadu waxay tuseen sida saxda ah halka xirmooyinka lagu dunsan yahay codebase-ku darista colortoolsv2 iyo ka dib mimelib2 sida ku-tiirsanaanta gudaha bot.ts, iyo soo dejinta u dhiganta ee ka muuqda src/index.ts. Caddaynta bulsheed ee la soo saaray ayaa ka dhigtay gelinta ku-tiirsanaanta mid aad u yar inta lagu jiro dib-u-eegis sare.
Dhaqan ahaan, GitHub facade waxay xoojisay calaamadaha kalsoonida halka ay Go'aanka dhabta ah ee tallaabada xigta ee malware-ka ayaa ku noolaa Ethereum. Iyaga oo kala qaybinaya injineernimada bulshada (GitHub) kantaroolka (qandaraaska casriga ah), hawl-wadeenadu waxay sameeyeen olole adag in la ogaado oo la carqaladeeyo.
IoCs iyo tillaabooyinka la taaban karo ee difaacayaasha
ReversingLabs ayaa daabacday tafaasiil tifaftiran oo farshaxan ah oo ku xidhan hawshan, oo ay la socoto tixraaca silsiladda furaha ah ee dhaqaajisay marxaladda labaad. Waxyaabaha soo socda ayaa loo isticmaali karaa ugaarsi, xannibo, oo ansixiyaan muujinta dhisidda dhuumaha iyo goobaha shaqada ee horumarinta:
- npm packages: colortoolsv2 1.0.0 (SHA1 678c20775ff86b014ae8d9869ce5c41ee06b6215), 1.0.1 (1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b), 1.0.2 (db86351f938a55756061e9b1f4469ff2699e9e27)
- npm packages: mimelib2 1.0.0 (bda31e9022f5994385c26bd8a451acf0cd0b36da), 1.0.1 (c5488b605cf3e9e9ef35da407ea848cf0326fdea)
- Second stage: SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21
- Qandaraaska casriga ah ee loo isticmaalo jiheynta C2: 0x1f171a1b07c108eae05a5bccbe86922d66227e2b
Macnaha dheeraadka ah ee ka yimid marxaladda dejinta: colortoolsv2 waxaa laga saaray npm Julaay 7, ka dib hawl-wadeenadu waxay u wareegeen mimelib2 iyaga oo wata tixraac isku mid ah oo ku saabsan silsiladda iyo dabeecad isku mid ah.
Ficilada lagu taliyay injineerinka iyo kooxaha amniga waxaa ka mid ah: Raadinta silsiladda calanka ee lagu sameeyay qoraallada rakibaadda; xannibo ama uga digo fulinta nidaamka ilmaha ee xirmooyinka meertada nolosha; diidmada shabakada inta lagu jiro npm rakibida CI; meelmarin liisaska oggolaanshaha ee diiwaan-gelinta iyo ilaaliyayaasha; quful noocyada kala-guurka; lana socdaan codsiyada ku xiran ciwaanka qandaraaska ee kore.
Si aad u ballaadhan, ula dhaqan cabbirka caanka ah ee kaydka sida calaamado aan ammaan ahayn. Kalsoonidu waa inay ka timaadaa koodka, artifacts, iyo tilmaamayaasha shabakada, ma aha tirinta xiddiguhu, ma sameeyaan mugga, ama muuqaalka qaar badan oo " ilaaliyayaal ah." Xaqiijinta madax-bannaan — falanqaynta taagan, fulinta bacaadka leh, iyo hubinta caddaynta ay wado SBOM — ayaa weli ah lama huraan.
Waxa ka muuqda ololahan ma aha cillad Ethereum, npm, ama GitHub si gaar ah, laakiin habka kaabayaasha dadweynaha loogu dhejin karo silsilad qarsoodi ah. By U wareejinta helitaanka C2 qandaraas caqli leh iyo kalsoonida dhaqidda iyada oo loo marayo GitHub, jilayaasha waxay fidiyeen ogaanshaha dhaqameed ee qaab ahaan. Nadaafadda ku-tiirsanaanta taxadir leh iyo kontaroolada lakabka ah ayaa ah miisaanka iska-hortagga.
