Malicious PHP packages deliver cross-platform RAT

Per The Hacker News, cybersecurity researchers have identified malicious PHP packages on the Packagist registry that are disguised as Laravel utilities. These packages are designed to install a cross-platform remote access trojan (RAT) capable of operating on Windows, macOS, and Linux systems.

The malicious packages, including "nhattuanbl/lara-helper" and "nhattuanbl/simple-queue," contain obfuscated PHP code that connects to a command and control (C2) server at helper.leuleu[.]net:2096. Once connected, the RAT sends system reconnaissance data and awaits commands to perform actions such as executing shell commands, capturing screenshots, and downloading or uploading files. The "nhattuanbl/lara-swagger" package acts as a conduit, listing "nhattuanbl/lara-helper" as a dependency, thereby triggering the RAT's installation. The RAT is designed to bypass common PHP hardening configurations by probing and utilizing available shell execution functions.

Developers are advised to assume compromise if these packages were installed, remove them immediately, rotate all sensitive credentials, and audit outbound network traffic. The threat actor also published seemingly clean packages to build trust, underscoring the need for rigorous vetting of third-party dependencies to prevent unauthorized remote access and data breaches.

Source: The Hacker News