Npm Trojan Bypasses UAC, Installs AnyDesk with “Oscompatible” Package

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines.

The package, named “oscompatible,” was published on January 9, 2024, attracting a total of 380 downloads before it was taken down.

oscompatible included a “few strange binaries,” according to software supply chain security firm Phylum, including a single executable file, a dynamic-link library (DLL) and an encrypted DAT file, alongside a JavaScript file.

This JavaScript file (“index.js”) executes an “autorun.bat” batch script but only after running a compatibility check to determine if the target machine runs on Microsoft Windows.

If the platform is not Windows, it displays an error message to the user, stating the script is running on Linux or an unrecognized operating system, urging them to run it on “Windows Server OS.”

The batch script, for its part, verifies if it has admin privileges, and if not, runs a legitimate Microsoft Edge component called “cookie_exporter.exe” via a PowerShell command.

Attempting to run the binary will trigger a User Account Control (UAC) prompt asking the target to execute it with administrator credentials.

In doing so, the threat actor carries out the next stage of the attack by running the DLL (“msedge.dll”) by taking advantage of a technique called DLL search order hijacking.

The trojanized version of the library is designed to decrypt the DAT file (“msedge.dat”) and launch another DLL called “msedgedat.dll,” which, in turn, establishes connections with an actor-controlled domain named “kdark1[.]com” to retrieve a ZIP archive.

The ZIP file comes fitted with the AnyDesk remote desktop software as well as a remote access trojan (“verify.dll”) that’s capable of fetching instructions from a command-and-control (C2) server via WebSockets and gathering sensitive information from the host.

It also “installs Chrome extensions to Secure Preferences, configures AnyDesk, hides the screen, and disables shutting down Windows, [and] captures keyboard and mouse events,” Phylum said.

While “oscompatible” appears to be the only npm module employed as part of the campaign, the development is once again a sign that threat actors are increasingly targeting open-source software (OSS) ecosystems for supply chain attacks.

“From the binary side, the process of decrypting data, using a revoked certificate for signing, pulling other files from remote sources, and attempting to disguise itself as a standard Windows update process all along the way is relatively sophisticated compared to what we normally see in OSS ecosystems,” the company said.

The disclosure comes as cloud security firm Aqua revealed that 21.2% of the top 50,000 most downloaded npm packages are deprecated, exposing users to security risks. In other words, the deprecated packages are downloaded an estimated 2.1 billion times weekly.

This includes archived and deleted GitHub repositories associated with the packages as well as those that are maintained without a visible repository, commit history, and issue tracking.

“This situation becomes critical when maintainers, instead of addressing security flaws with patches or CVE assignments, opt to deprecate affected packages,” security researchers Ilay Goldman and Yakir Kadkoda said.

“What makes this particularly concerning is that, at times, these maintainers do not officially mark the package as deprecated on npm, leaving a security gap for users who may remain unaware of potential threats.”