A recent security threat has surfaced in the software community, originating from a malicious NPM package called ‘duer-js’. This package, posing as a legitimate tool, has put numerous Windows users and developers at risk by distributing harmful malware.
The ‘duer-js’ package, uploaded by the user ‘luizaearlyx’, was crafted to mimic a typical console visibility application. Despite only having 528 downloads, experts caution that its advanced techniques significantly endanger anyone who has utilized it.
The Threat Behind ‘Bada Stealer’
What sets this malware apart is its sophisticated, multi-layered attack process. Once installed, ‘Bada Stealer’ not only extracts data but also deploys another malicious payload specifically targeting Discord users.
This secondary attack infiltrates the Discord application, embedding itself within the startup process to clandestinely capture sensitive data whenever the app is used. This includes payment information and authentication tokens, even bypassing two-factor authentication measures.
In-Depth Analysis by Security Researchers
Security analysts from JFrog have delved into the intricate workings of ‘duer-js’, revealing its complex obfuscation methods. They found that simply uninstalling the package does not fully eradicate the threat, as it employs persistence tactics to withstand basic removal efforts.
The malware’s operational strategy involves terminating active browser and Telegram processes to access otherwise secured files. It then systematically scans for valuable data across various applications, targeting Discord tokens, Nitro subscriptions, billing data, and more.
Data Exfiltration Techniques
‘Bada Stealer’ meticulously extracts passwords from major browsers such as Chrome, Edge, and Brave by decrypting them through the Windows Data Protection API. It also collects cookies and autofill information, including credit card details, before encryption.
Particularly concerning is its focus on cryptocurrency wallets, seeking out Exodus and browser-extension wallets like MetaMask. Even Steam users are at risk, as the malware compresses and transfers Steam configuration files.
Data is exfiltrated using a Discord webhook and Gofile cloud storage, ensuring attackers receive the stolen information even if one method fails. The malware generates text files with sensitive data, which are then uploaded to these channels.
Steps for Mitigation and Protection
For those who have installed the ‘duer-js’ package, immediate action is crucial. Begin by thoroughly closing Discord and uninstalling it via Windows Settings or Control Panel. Navigate to ‘%LOCALAPPDATA%’ and delete all Discord-related folders to remove malicious code.
Reinstall Discord from its official site, remove ‘node.exe’ files from the Windows Startup folder, and change all browser-stored passwords. Revoke Discord tokens, enable two-factor authentication, and scrutinize Discord payment methods for unauthorized changes. Verify cryptocurrency wallets and Steam accounts for unusual activity to ensure complete eradication of the malware and protect your systems from future threats.
