An Expedition To Planet Malware - Anthony Fielding

Good morning, Newcastle. It's really good to be here. Hello, friends. Um, so couple points. Firstly, if you find this is not as exciting as you thought, you're welcome to go to the other track. I won't be offended. Uh, feel free to do that. Um, I had hoped to make a bit interactive. Uh, and so let's do that. You know, why not? So, I'd like to play a little game with you all right now. So firstly, we're going to play the little fish game. And every now and then, the fish will jump up. And when it does, I'd like all to just do a single clap. Right. Okay, let's play. Ready? Very good. Okay, let's go in.

Okay, that was rush. Okay, let's play a different game. Okay. So, if you've ever put your sock on the wrong way round inside out, please raise your hand. Okay. I'd like you now to keep your hand raised for the duration of this talk. Ladies, we are going to the Citadel of MPM where it's okay. I'm joking. You can you can bring it down. Thank you. I appreciate your dedication. Where where we are going to crush land. Yeah, there are other ecosystems out there, but I've got so much material. I just thought we'd just kind of bum into MPM today. So, all the backgrounds are AI generated pixel art for the win. Uh, and so I'm

going to have a little bit of a look around. What do we find here? Uh, obviously this wonderful server rack. Uh, this comes up onto our huristics for high entropy. I scratch my head and okay, what is this? What could this be? Uh, well, it turns out, okay, well, there's no information on MPM here. There's a no read me. Uh, it turns out somebody is using MPM as like an S3 object storage. Um, pulling all sorts of random blobs of data in every single day. Loads of commits, loads of packages, loads of stuff. Some tells me that this is a VPN provider. I'm not quite sure, but I'd love to know what that data is. Um, so

as well as malware, which this isn't, we come across all sorts of fun and exciting things. But yeah, I wouldn't have thought of using mpm as object storage, but there you go. Okay. Uh, here's a piece of code. Uh, fortunately for you all today, it's JavaScript, which is quite readable. And I think this is why we see a lot of um activity in the MPM ecosystem. um because it's quite accessible. Anybody can code in this technology. But also, if you think about it, it doesn't matter what your back end is, whether that's Java, .NET, Rust, whatever. Your front end is very likely to be using Node.js or front end technologies like React, Angular, etc. And so because of that, we

see so much stuff in this world. So here we've got some code. It says it's harmless. Okay. Um, it's dropping some host information to a file. Uh, it's using a variable called proof files. Anybody done RCP much? Yeah. No. And then this get stealth path. So that's about as far as I got when I was looking into this. And I said, you know what? That's that's malicious enough. Real researchers would dig in a bit further and find out what it's actually doing and how it's activated. But we come across all kinds of scopes of stuff really from nation state to junk to this guy. Okay. So what is this? This is package JSON file which is actually the

manifest. I should pay attention to the time 5 minutes in. Okay. Yeah. This is manifest uh data for a new get package or JavaScript package. And these these um manifests have an ability to run scripts when you install them. So, if you were to go and acquire yourself the blockchain recover package, uh you'd be in for a nasty shock because it's going to output an alarming message on your console saying that your Bitcoin fund have been locked. Um it's not really doing anything really bad computationally, but it's a little bit frightening if you were to see that it's unwanted. So, we would say that's malware. see the whole gamut of stuff from naughty programs to

just really awful junk to like I say some really fancy stuff. Um but I wanted to show you this to talk about these pre-installed scripts because the thing about npm ecosystem is it is it is absolutely uh he there's just so much activity. Somebody built a left pad uh package before they realized that it was actually part of the language. Um, and it really is one of these kinds of XKCD kind of scenarios where all the stuff is built upon these dependencies and if any one of them breaks or or gets removed or gets checked with malware like for example here if we put some malware in here then we could potentially attack all of this stuff.

If you were to go and try and install something like uh React uh today uh you might use something like light to do that and then when you when you do this to get your start object you'll find that it's going to drop about 230 odd of these packages on your file system 92 max uh which was about 196 of these package manif files of which one of them happened to execute which was ESU um talk a little bit more about that in bit. But yeah, you know, you just try and do a little thing in this eos system and you're having to pull a lot down and with that you're pulling in a lot of

risk because if any one of those 235 packages was compromised, you could be in for some fun. Um, now here's the thing about mpm. When you install stuff with mpmi, uh, it doesn't actually output all the things that you would expect. So here I've got an example package where I've got uh I've got a package called A that depends on B and B has a uh an install script. U you wouldn't see that in the output when you install A unless you enable this foreground scripts. So there's my first piece of advice. If you are dealing with uh an environment where you're dealing with Node.js, I would definitely set this foreground script uh attri argument on uh because that's going to

help with logging uh should should that be useful if if you do find yourself in a compromised situation. Okay. What have we got here? Yeah. Okay. So, this kind of thing is see all the time every day. Uh here is a an object containing some useful information. uh including entire directory list of your C drive, your hard drive, whatever. And then they are sending that off to RT11.ml. Uh can't remember what that is now. I did know at one point. Um uh but you're okay. Yeah. So long as your machine is one of these. If if you're Lily PC, anybody Lily PC, you're fine. So make sure your computer is called Lily PC. have a Russian keyboard

installed, you'll probably be okay. Um, this is very standard. See, there I see about 20 of these a day. And actually, we're finding this stuff um and protecting our customers uh from it. Um sometimes weeks, months before MPM would get round taking them down. A little bit more about it later. Uh so yeah, you get this quite a lot. This is quite your kind of standard level stuff, data excfiltration. Okay, this is a good one. So, where's malware here? Um, okay, we've got some node binary that's been used. Um, but what if I told you this file is actually 12K, right? What's going on there? That doesn't look like 12K to me. It's this pipe. If we were to select this pipe,

that's 4,000 non-printing characters. Nice. Which when you extract decode is this obuscated JavaScript payload base 64 there. Eventually, this becomes a Google calendar invite link. And you can imagine where that leads to. That's not what we want. Okay. So, this is a funky one we saw a couple months ago. Actually, when I when it first joined, we just found this. This was pretty cool. I looked at this and scratched my head and I thought, okay, well, what can you make of this? Tried to join some dots together. Uh but then somebody smarter than me said well this is just JavaScript destructuring of course JavaScript destructuring destructuring it's still okay uh is is when you take an object and you

essentially assign the the left hand from the right so when you two string an empty object you get object object and all I'm doing here is I'm saying okay take the first index uh which is L because the zeroth object is a square a bit of going on there get it Now we go. Uh anyway, I'm pulling out the F and the M which are at the position of the O and the O to uh Ooh, it's Halloween just around the corner. But that's object destructuring. So that's what they've done. But the thing is, oh no, don't go do that. The thing is you got to ask yourself, well that isn't necessarily malware. People love

to do obuscation but also npm is open to all sorts of of people hobbyists fun this could be somebody's side project but anyway somebody picked it apart and what we found 12 layers of obusation lots of binaries a lot of technologies here right so um downloading binaries from firewall tell uh some powershell to disable some stuff in window defender some nets all that to proper a pulsar rat. Now, I should only hope and I didn't quite take this out, but I should hope that the the defender exclusions were for otherwise that's absolutely terrible execution. Like all this work, 12 layers of of onion shells to unpeel just to drop PS. Okay, that's selfie malicious. You don't

want that. We did a write up on this on our web page there. So, you may have seen in recent news uh about this supply chain attack. Hands up. You've kind of Yeah. Okay, cool. Well, I thought we going to go into that. I had other stuff to talk about, but this perhaps a bit more pressing. Thank you. Yeah, quicks. So, Josh, uh Josh is an open source um contributor. He's got a number of repositories, pilot packages. Um a Josh, he got this email, right? Some ongoing security thing update to FA. Can we can we click that? Yeah, he got pawned. Oh dear. Now, the thing about Josh getting pawned was that he maintains this package. Anybody

familiar with this? One single person, right? Okay. Well, I I use it and it's a couple versions out. I think I don't think I got it. uh but for those in the ecosystem that do use JavaScript chalk is really popular to do console colors because obviously whenever you do any kind of application these days you need that amazing as the color all of that first and foremost any kind of console application yeah this is a big deal cuz chalk is used by a lot of people um a uh security did a good write up on this they're the ones that found it we found uh rap anci I think uh about the same time they did I wasn't some quick

to the blog posts on that one. Um, but here's what happened to Josh. He had a stressful week. This fishing could happen to everybody, right? We we get busy. We're human. But fortunately for us, and thank you to Josh, he was very quick to respond to this. And the internet pretty much shut this attack down within 2 hours. What it was was an interesting attack that put a payload in um in the in in in the um it was it was designed not to execute installation, but when it's used, it tries to hijack the browser in order to steal crypto. It's targeting users that visit infected sites. Quite interesting. Um quite complex. It may be uh maybe a

bit of a problem there. But it wasn't just Josh that got compromised. DuctTB and other popular uh repositories for compromised loads of packages. Um where's they say that most organizations out there use this stuff. Uh they have 2 billion downloads. Um so the biggest supply chain attack in history uh well not according to VX underground. They didn't make a lot of money. They only took I think a a grand um perhaps because of the complex chain of all the things that we have to align for them to steal your crypto. Right? You have to have crypto have an extension in your browser to browse to one of these sites just so happened to have been

Yeah. Okay. Cool. Unicorn NX recently got compromised as well. So this going back a couple more weeks. It got compromised and uh what happened here was an LLM prompt injection type attack. So, someone jacked this up after compromising the account with some malware that asks your locally installed LM to excfiltrate any secrets you might have. Put them in the local file. How handy is that, right? LL assisted attacking. That was novel. That was fun. Um um and of course they're turning off these safeties as well to do that. Um, and then they do this little tricky bit as well where they say, "Well, okay, maybe we've got these secrets now. Let's just drop this little shutdown in your

RC. See, just a little bit of a Terry on top." Um, but thing is this came back last, didn't it? And so were quick to to pick up on this because the same threat actor that did that decided, "Ha, here's what we'll do. We'll take out the LLM bit and we'll put truffle hog in which is an open source secret scanning tool." They put that in, they compressed down and called it bundle.js. Nice. Um, but yeah, shut that down. Uh, but here's the thing. They also turned into a worm. Um, and what they did, according to this screenshot from Aikido, uh, is they they basically, um, made the malware look for any of the packages

that the person owns and to just increment the vision and to just put this bundle.js in there. But it also does this wonderful thing where when it republishes it, it creates a funky zip where we have multiple files, multiple identical file names, but with different contents. And this caused me a lot of pain cuz we weren't prepared for that. Um, so there were loads of bundle.js files. The first one happened to be benign and so it didn't immediately flag for me. Uh, but the other ones were. Um, but yeah, we learned quickly. But that was lovely. Thank you for that. Um, I don't quite know what output of that is because this is stealing secrets

rather than crypto. If it was crypto, we could maybe trace the wallets. Stealing secrets, maybe something will come out the back. One thing I can tell you is that this is definitely going to be more popular now, right? These kinds of attacks. So, widespread account compromise, uh, widespread u wormification. I already saw just the other day somebody was trying to create their own worm. It was definitely a copycat cuz all this was obisicated. Uh so someone's trying to create their own. Uh yesterday uh we were seeing that people are trying some Python registry. So Python account compromise 2FA type email fishing type thing on there. So all the ecosystems are facing this. It's just this is the

easiest one to target. The entry level is so low. So I tell npm about some of this and they make me fill out form and prove that I'm a human. And I say to them, npm, have you got easier way for people that find this stuff every day? And they're like, yeah, no. Um, I find so much stuff. I don't tell nm all of it because it's just dayto-day. Uh, I'd like to, but I'm going to fill that in or I wouldn't be able to do the other stuff. So, yeah, that's mpm ecosystem. So, yeah, these post install hooks are a problem. I should probably speed up a little bit. Most of the time we see

people uh using that as a way to uh attack people. Uh but generally speaking when it isn't malicious all people using these posted hooks are are using them for are for logging. Very rarely do we actually see anything useful being done. Typically people would download a binary from some random website which is annoying and frustrating. Um but I think in the main um that is kind of where a lot of this kind of stuff happens. I see all sorts. I see all manner of reverse shells from the most basic to some really fancy ones including a reverse shell as a service. Uh and such fun. Yeah. So takeways. What can we do? I got to give you something

if I made you sit through all this. Uh what can we take from this? Thank you.

Um, if you have to use mpm, let's put ignore scripts on and for scripts. Now, put ignore scripts on. If you remember that ES build thing will probably fail cuz ES build is a Golang binary and ES build wanted to go and acquire that binary to do its thing. But hey, I think if you're in an enterprise, um, it's not a bad idea to just slap that on. And if something fails to build or fails to work, maybe on a case by case basis, we could say, right, maybe we'll take that off or we'll find a ways. Okay, you need this dependency. Maybe we'll brew install. Maybe we'll curl install a different way, but that's not bad going.

Um, you can also put these things in a npmrc file. Ignore scripts. That's probably good. Um, but you also use PMP. I just found out about this. By default, PMP will not execute scripts. And it has this really cool feature that they recently added to say minimum release age. Uh, it's 2 days because you see the lif span of malware is a single day. We see it. We shut it down. All that in the space of a day. There's other campaigns. You saw these huge worms. We globally, I say we, the community, the industry, the people. Thanks Josh. We all that down within 2 hours. Yeah. Um, so if you if you hold off getting latest versions for

days, I think that's not bad going. Always use a V, especially if you're doing a job interview. We've been tracking a North Korean uh campaign where they are targeting people with crypto uh and doing job interviews. So as part of job interview, you have to do a cutter, you have to do a test, you've got to do some stuff and then this logging, it's always a log, this logging library will go and steal all your Salana user VM. You do manual code reviews, but if you can imagine, you know, we saw thousands, not thousands, we saw 100 packages just for one single thing you would pull in. Now, no one's going to just go live with one single

template default or maybe they would with like react. You're going to put other stuff in like left, right? Um, but yeah, you could nearly review these. Um, look for exec calls. Exec is like the thing that keeps me in the job these days. And there's install hooks. Um, you could have me do it. Verode does have a product, a package. Well, other vendors are producing these as well. Uh this isn't a sales bit. There are solutions available. Um Akido has something called think safe chain which is an open source thing. Um I wanted to leave some career advice which is good. I think we've got time AI generated love. So how did I get here? Um I said to my boss I said hey I

need a change. And then he said well what do you want to do? And I said I'm really interested in malware. And he's like what do you mean mware? I said malware reversing. Oh right okay cool. No problem. good. Um, and Varacode have recently acquired a topnot company called Phylm who are really cool. Um, and I said, I'm interested in what they're doing. And he said, why don't you reach out? And I said, no. I said, no, Bill, because they said that they've got enough people. And he said, I should. So, I did. And they were really excited that I was interested in what they were doing. Um, so much so that they said, hey, if you

if you want to do this, go for it. And so we got set up so that I could do this during my lunch break. So I'm helping them, right? So that happened for a month and then there was a reorganization of sorts and then naturally slide in. So my career advice for you is to do a little bit of the sliding in. Right? Everybody wants to be on the red team, but you're not getting on the red team because it's coveted, right? But the way to get in there is by supporting the red team, by making relationships, by talking to people, by building tools, not to the extent where you're breaking your back over it, but

so that when people have the conversations will be the next candidate, that your name comes up. Maybe relationships are where it's all at. Which is why events like this, this conference today is a great opportunity for you to talk to the vendors, uh to talk to different people, people you didn't come here with today, and make those relationships, have those conversations cuz you never know where these take you because that's kind of been my journey. Uh, and I think I'll leave it there. Thank you. Any questions?

>> That's enough. >> Oh, y did you catch all the bad?

>> Yeah, it has been recorded, right? Okay, cool. All right. Okay. Um did okay so the question was uh did we catch all that stuff yes and no. So where I am uh we have all these tools that kind of mark the malware different classifiers. Yeah. High entropy. Yeah. Uh uses exact calls. Yeah. Has a history of naughtiness. Um um and so I manually reviewed a lot. It's just constant coming in and I'm reviewing it. My team were reviewing it. And what happened with that last malware with that jacked up uh G gzip file was we didn't actually see that ourselves. I'm not going to lie, didn't because when we looked at the zip, we looked at

the first file which was benign. Um but then another security company found it and like oh yeah uh because it didn't come onto my radar because the only packages that I review are those that have sufficient dirtiness about them. I'm not going to review absolutely every single package that is pushed out there. There's just too many because I have to cover other ecosystems as well. But yeah, I kind of kick myself that kind of missed that particular one. But as soon as we got wind of it because I have lots threat in our feeds. Uh we shut that right down. Uh and now we're looking for it every day. So we learn something bad, build a little shape

detector and push that out and protect our customers. So, not not as quick to respond to that one as I would like. But with leathers, as soon as you drop them, as soon as you drop a new violin, I'm seeing you. I see a lot of people, they try and do like um aging type things and they'll try something and undo it and they'll put something in it. But it doesn't matter how long you live, I'm going to find it and shut that down. And for me to do what I do here, I don't need to see dirtiness per se. I just ask a simple question. Do our customers want this in their enterprise? Yes. No. It's quite straightforward for

that. Um, but yeah, hopefully that answers the question. Thank you.

>> So, I'm still confused with the size of the pipe character in the file. >> Oh, yeah. >> So, why was that pipe so big? >> Yeah. Yeah, you know, I thought I thought that as well. Uh, >> so you missed something there. >> No, no, you didn't. >> How do you embed that much code in the still character in a script? >> Good question. >> So, I'm not going to lie, but when I when I came to make this screenshot, I couldn't quite work out how I'd selected a single character, you know, like shift right? I actually don't know how that happened there. I'm a little bit confused. Um but if you but this is UTFA encoded and what

what's what's actually happening between the two string labels there is is that there are uh non-printing unic code characters. So if I change the file format uh from UTF8 to uh something else can't quite remember what it was. I tried to figure that out through but if if I were to copy that past it in my console I'd see all of this uh but don't want to do that on my console and potentially invest. But yeah, um if you if you change file encoding then what you would see is uh uh something um not quite like this. This is the second step after. >> Okay. >> But yeah, um drop um drop drop me an

email and I'll I'll reply in a bit more details with the specifics of >> you have the non-printing unic code. I need to go to the rabbit hole. >> Sorry. >> I need to learn rabbit hole. Non-printing unic code. Uh yeah, I start to look file sizes now these days. It is a bit of a rabbit hole. Uh but we have huristics uh now for that. I'm just going to get to the end slide. Thank you. Thank you. >> Yeah. So we see something like like with the KJI. So we plum in a KI detector. We see the non-printing. So we plum in a non-printing. It's just a mouse. There's always going to be another thing.

Another thing. Okay. Cool beans. I think we'll do it there. Thank you so much everybody for coming. Hope you all have a really good conference.