Full Report
A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location. [...]
Analysis Summary
# Tool/Technique: Malicious npm packages using Unicode Steganography
## Overview
This refers to several malicious npm packages, including **`vue-dummy`** and **`vue-bit-all`**, which use Unicode steganography to hide payloads within seemingly benign source code, specifically within strings appearing as vertical bars (`|`). These packages were designed to download and execute a secondary, obfuscated malware payload via a multi-stage command and control (C2) mechanism relying on Google Calendar links.
## Technical Details
- Type: Malware (Supply Chain Compromise via npm package)
- Platform: Systems utilizing Node Package Manager (npm) and JavaScript environments (likely targeting developers or CI/CD pipelines).
- Capabilities: Data exfiltration preparation, multi-stage payload execution, C2 communication, persistence.
- First Seen: Undefined in context, but a recent discovery based on Veracode analysis.
## MITRE ATT&CK Mapping
Given the nature of the delivery (using legitimate repository systems) and execution method:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Via compromised repository/package hosting)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1059.003 - Windows Command Shell (Depending on execution environment)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.007 - Steganography (Specifically Unicode steganography)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Downloading second stage payload)
## Functionality
### Core Capabilities
- **Steganographic Encoding:** Hiding data within strings using numerous invisible Unicode characters from the Variation Selectors Supplement range (U+E0100 to U+E01EF) appended to a vertical bar character (`|`).
- **Multi-Stage Payload Delivery:** The steganographically hidden data leads to a Google Calendar short link used as a redirection mechanism to host the actual malware.
### Advanced Features
- **C2 Redirection Chain:** Utilizing Google Calendar links, the malware checks a series of redirects until it receives an HTTP 200 OK response.
- **Data Exfiltration Preparation:** The final payload location is derived by scraping the `_data-base-title_` attribute from the event's resulting HTML page, which contains a base64-encoded URL.
- **Payload Decoding:** A function (`_ymmogvj_`) is used to decode the retrieved URL pointing to the final malware payload.
- **Encrypted Stage-2 Payload:** The request for the stage-2 payload likely involves an initialization vector and a secret key in HTTP headers, suggesting encryption of the final payload.
- **Dynamic Execution:** The fetched payload is executed using the `eval()` function.
- **Simple Persistence:** Installation of a mechanism in the system's temporary directory to prevent the execution of multiple instances.
## Indicators of Compromise
The summary focuses on the delivery mechanism rather than specific hashes or IPs, as the context implies the package names are the primary initial IOCs, and the final URLs were not retrieved.
- File Hashes: [Not specified in the context]
- File Names: `vue-dummy`, `vue-bit-all` (npm package names)
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 ultimately relied on **Google Calendar short links** for redirection to the final payload hosting URL.
- Behavioral Indicators: Use of Unicode variation selectors for data hiding, execution via `eval()`, file creation in the temporary directory.
## Associated Threat Actors
- [Not explicitly named in the context, but associated with supply chain attacks targeting the npm ecosystem.]
## Detection Methods
- Signature-based detection: Detection rules targeting the specific npm package names if they propagate widely.
- Behavioral detection: Monitoring for scripts that heavily utilize or process long sequences of Unicode Variation Selectors Supplement characters (`U+E0100` to `U+E01EF`) within code/strings. Detection of dynamic code execution via `eval()` in unexpected contexts. Monitoring network activity for connections to URLs derived from scraped Google Event attributes.
- YARA rules: Potential rules targeting the unique Unicode pattern used for steganography.
## Mitigation Strategies
- **Supply Chain Security:** Strictly vet npm dependencies, especially lesser-known or newly published packages, prior to inclusion in build environments.
- **Dependency Scanning:** Utilize tools to scan dependency trees for suspicious content, unusual encoding, or known malicious patterns embedded in source code or metadata.
- **Execution Control:** Apply strict application control or sandboxing where possible, and monitor for the use of high-risk functions like `eval()`.
- **Network Monitoring:** Implement egress filtering or anomaly detection to identify connections to potentially compromised redirection services (like unusual traffic patterns deriving from Google Calendar links).
## Related Tools/Techniques
- Traditional Text Steganography Techniques
- Other supply chain attacks targeting language-specific package managers (e.g., PyPI, RubyGems).
- Malicious packages using obfuscation techniques other than Unicode steganography.