Full Report
Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that's functional on Windows, macOS, and Linux systems. The names of the packages are listed below - nhattuanbl/lara-helper (37 Downloads) nhattuanbl/simple-queue (29 Downloads) nhattuanbl/lara-swagger (49 Downloads)
Analysis Summary
# Tool/Technique: Malicious Packagist PHP Packages (Lara-Helper RAT)
## Overview
Threat actors have published a series of malicious PHP packages on the Packagist repository masquerading as legitimate Laravel utilities. These packages serve as a delivery mechanism for a cross-platform Remote Access Trojan (RAT) that enables full remote shell access and data exfiltration from Windows, macOS, and Linux servers. To build credibility, the author also published "clean" versions of other libraries.
## Technical Details
- **Type:** Malware Family (Remote Access Trojan) / Supply Chain Attack
- **Platform:** Windows, macOS, Linux (Cross-platform via PHP)
- **Capabilities:** System reconnaissance, remote shell execution, file manipulation, and screen capture.
- **First Seen:** March 2024 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0002 - Execution**
- T1059.006 - Command and Scripting Interpreter: Python/PHP
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- T1571 - Non-Standard Port (2096)
- **TA0009 - Collection**
- T1113 - Screen Capture
## Functionality
### Core Capabilities
- **System Reconnaissance:** Automatically collects and sends host metadata (OS info, user context) upon infection.
- **Remote Shell Access:** Executes arbitrary commands through multiple PHP functions (`exec`, `shell_exec`, `system`, etc.) to bypass security restrictions.
- **File Management:** Can download files from the victim's disk or upload and grant full read/write/execute permissions (0777).
- **Persistent Connection:** Implements a retry loop every 15 seconds to maintain a connection to the C2 server.
### Advanced Features
- **Hardening Bypass:** The malware probes the `disable_functions` directive in PHP configuration and dynamically selects the first available execution method (popen, proc_open, etc.).
- **Ant-Analysis/Obfuscation:** Uses control flow obfuscation, encoded domain names/paths, and randomized variable identifiers in `src/helper.php`.
- **Cross-Platform Screenshotting:** Utilizes `imagegrabscreen()` to capture visual data from the host.
## Indicators of Compromise
- **File Names:**
- `src/helper.php` (within malicious packages)
- **Malicious Packages:**
- `nhattuanbl/lara-helper`
- `nhattuanbl/simple-queue`
- `nhattuanbl/lara-swagger` (Installs lara-helper as a dependency)
- **Network Indicators:**
- `helper.leuleu[.]net:2096` (C2 Server)
- **Behavioral Indicators:**
- Outbound TCP connections on port 2096 from a web server process.
- PHP processes spawning shell commands or PowerShell.
- Heartbeat "ping" packets sent every 60 seconds.
## Associated Threat Actors
- **nhattuanbl** (Packagist username)
## Detection Methods
- **Signature-based detection:** Scan vendor directories for the "nhattuanbl" package path and the specific obfuscated `helper.php` file hashes.
- **Behavioral detection:** Monitor for web server processes (e.g., PHP-FPM, Apache) initiating outbound socket connections to unusual ports or executing `powershell.exe`/`/bin/sh`.
- **Audit:** Inspect `composer.lock` files for unauthorized or suspicious dependencies added by the `lara-swagger` utility.
## Mitigation Strategies
- **Immediate Action:** If these packages are found, remove them immediately and assume the environment is fully compromised.
- **Secret Rotation:** Rotate all `.env` variables, database credentials, and API keys, as the RAT gains the same permissions as the web application.
- **Hardening:** Strictly limit `disable_functions` in `php.ini` and use tools like Snuffleupagus for PHP security hardening.
- **Dependency Pinning:** Use specific versions and audit new dependencies before integration.
## Related Tools/Techniques
- **Typosquatting/Masquerading:** Similar to attacks seen on NPM and PyPi.
- **Dependency Confusion:** Exploiting the recursive nature of Composer dependencies (e.g., `lara-swagger` pulling in the malicious `lara-helper`).