Malware, Security Operations, Supply chain, DevOps

New cyberattack hides malware in images on npm

(Credit: Araki Illustrations – stock.adobe.com)

Based on information from HackRead, a novel cyberattack has been identified that leverages ordinary image files to conceal malicious software, posing a significant threat to software developers and their systems.

Security researchers at Veracode Threat Research discovered a malicious package named "buildrunner-dev" on npm. This package employed a typosquatting technique, mimicking a legitimate tool to trick users into downloading it. Upon installation, it executes a script that downloads a large, obfuscated batch file designed to evade security scanners. This file contains numerous lines of seemingly random text, with only a few actual commands. The malware is sophisticated, checking for and attempting to bypass antivirus software from vendors like ESET and Malwarebytes.

It uses techniques such as process hollowing and copies itself to a hidden folder, often utilizing the "fodhelper.exe" tool to bypass user permission prompts. The most striking aspect is the use of steganography, hiding the core virus within a PNG image file by embedding malicious code in the pixel data. This ultimately deploys Pulsar RAT, a remote access trojan, giving attackers full control over the compromised computer.

Source: HackRead

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds