Cybersecurity experts have uncovered fake PHP packages on the Packagist platform, disguised as Laravel tools, that are delivering a cross-platform remote access trojan (RAT) affecting Windows, macOS, and Linux devices. These packages, identified by researchers, pose significant security threats to users.
Identified Malicious Packages
The suspicious packages, named nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger, have been flagged due to their malicious intent. Despite their harmful nature, they remain accessible on the PHP package registry and have recorded several downloads.
Researchers at Socket found that nhattuanbl/lara-swagger indirectly spreads malware by listing nhattuanbl/lara-helper as a dependency. This association leads to the installation of a RAT on the host system, presenting a critical security risk.
Technical Analysis of the Threat
The malicious packages house a PHP file, src/helper.php, which uses complex obfuscation techniques to evade static analysis. This includes encoding domain names and file paths, and using randomized identifiers, complicating detection efforts.
Once activated, the payload connects to a command-and-control (C2) server at helper.leuleu[.]net:2096, transmitting system data and awaiting further instructions. The communication utilizes TCP connections through PHP’s stream_socket_client() function.
Potential Impact and Recommendations
The RAT enables commands like ping, info, cmd, powershell, run, screenshot, download, and upload, providing comprehensive remote control over the host system. Its resilience to typical PHP security measures makes it particularly concerning.
Although the C2 server is currently inactive, the RAT is programmed to attempt reconnection every 15 seconds. Users who have installed these packages should consider their systems compromised, remove the packages, change all accessible secrets, and audit network traffic for connections to the C2 address.
In addition to the harmful packages, the threat actors have also released other seemingly benign libraries to gain user trust. These include nhattuanbl/lara-media, nhattuanbl/snooze, and nhattuanbl/syslog. Users are urged to remain vigilant and cautious when installing any packages.
In conclusion, any Laravel application that has incorporated lara-helper or simple-queue faces a persistent security threat, with the potential for unauthorized access and data exposure. It is imperative for users to take immediate action to secure their systems and prevent further compromise.
