Malicious PNG Images Used to Distribute Pulsar RAT via NPM Supply Chain Attack

Post Views: 6

Researchers Uncover Sophisticated NPM Supply Chain Attack Concealing Pulsar RAT in PNG Images

A recent discovery by Veracode Threat Research has shed light on a complex cyberattack that leverages a novel technique to disguise malware as innocuous images, effectively evading Windows security and antivirus programs. The attack, which involves a malicious package on the popular NPM platform, uses a combination of typosquatting, steganography, and process hollowing to deliver the Pulsar Remote Access Trojan (RAT).

The Malicious Package

The malicious package, named “buildrunner-dev,” was designed to masquerade as a legitimate piece of software, exploiting the trust that developers place in NPM. By using a name that is similar to a real, safe tool called “buildrunner,” the attackers hoped to capitalize on typos or mistaken identity. Once installed, the package executes a script that appears to be benign, containing numerous irrelevant words and only 21 actual commands.

Evasion Techniques

Further analysis revealed that the malware is capable of detecting the presence of antivirus programs such as ESET, Malwarebytes, and F-Secure, and employs various tactics to bypass them without triggering alerts. The malware copies itself to a hidden folder as “protect.bat” to maintain persistence, and uses the Windows utility “fodhelper.exe” to bypass security warnings and evade user detection.

Steganography and Process Hollowing

One of the most intriguing aspects of this attack is the use of steganography to conceal the Pulsar RAT within a PNG image. This technique allows the malware to remain hidden in plain sight, making it challenging to detect. Additionally, the attackers employed process hollowing to replace the contents of a legitimate program with malicious code, effectively disguising the RAT as a normal process.

The Pulsar RAT, once installed, grants the attackers full control over the compromised computer. The malware uses unusual names, such as “CheaperMyanmarCaribbean.exe,” to remain hidden in the system’s memory. This discovery serves as a stark reminder that even seemingly innocuous files, such as images, can be used to conceal significant threats.

Supply Chain Vulnerabilities

The use of NPM as a platform for this attack highlights the risks associated with supply chain vulnerabilities, where malicious code can be injected into the software development lifecycle. This incident underscores the importance of vigilant monitoring and robust security measures to prevent such attacks.