- \n
- A malicious NPM package masquerading as an XML-RPC implementation has maintained an unusually long presence on the NPM registry from October 2023 to November 2024, receiving 16 updates during this period.<\/li>\n\n\n\n
- The package started as a “legitimate” XML-RPC implementation and strategically introduced malicious code in later versions.<\/li>\n\n\n\n
- The malware steals sensitive data (SSH keys, bash history, etc..) every 12 hours while mining cryptocurrency on infected systems. Data is exfiltrated through Dropbox and file.io.<\/li>\n\n\n\n
- The attack achieved distribution through multiple vectors: direct NPM installation and as a hidden dependency in a legitimate-looking repository.<\/li>\n\n\n\n
- Evasion techniques include system monitoring detection and activity-based mining<\/li>\n\n\n\n
- At the time of investigation, it appeared that up to 68 compromised systems were actively mining cryptocurrency through the attacker’s Monero wallet.<\/li>\n<\/ul>\n\n\n\n
Package History and Evolution<\/h2>\n\n\n\n
The malicious package \u201c@0xengine\/xmlrpc\u201d first appeared on the NPM registry on October 2nd, 2023, presenting itself as a pure JavaScript XML-RPC server and client implementation for Node.js.<\/p>\n\n\n\n
![\"malicious](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/npm-package-1024x665.png\")
<\/figure>\n\n\n\nWhat makes this package particularly interesting is its strategic evolution from legitimate to malicious code. The initial release (version 1.3.2) and its immediate follow-up appeared to be legitimate implementations of XML-RPC functionality. However, starting from version 1.3.4, the package underwent a significant transformation with the introduction of malicious code in the form of heavily obfuscated code within the “validator.js” file.<\/p>\n\n\n\n
![\"XML-RPC](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/obfuscated-code-1024x617.png\")
Part of the obfuscated code<\/figcaption><\/figure>\n\n\n\n Over its year-long presence on NPM, the package has received 16 updates, with the latest version (1.3.18) published on October 4th, 2024. This consistent update pattern helped maintain an appearance of legitimate maintenance while concealing the malicious functionality.<\/p>\n\n\n\n
Distribution Strategy<\/h2>\n\n\n\n
Our research uncovered a calculated supply chain attack involving two distribution vectors. The first involves direct installation of @0xengine\/xmlrpc<\/strong> from NPM. The second, more sophisticated approach, involves a GitHub repository named “yawpp” (hxxps[:]\/\/github[.]com\/hpc20235\/yawpp), which presents itself as a WordPress posting tool.<\/p>\n\n\n\n
The yawpp repository appears legitimate, offering functionality for WordPress credential checking and content posting. It requires @0xengine\/xmlrpc as a dependency, claiming to use it for XML-RPC communication with WordPress sites. This dependency is automatically installed when users set up the yawpp tool through standard npm installation.<\/p>\n\n\n\n
This strategy is particularly effective as it exploits the trust developers place in package dependencies, potentially leading to inadvertent installation of the malicious package through what appears to be a legitimate project dependency.<\/p>\n\n\n\n
The combination of regular updates, seemingly legitimate functionality, and strategic dependency placement has contributed to the package’s unusual longevity in the NPM ecosystem, far exceeding the typical lifespan of malicious packages that are often detected and removed within days.<\/p>\n\n\n\n
Attack Flow<\/h2>\n\n\n\n
![\"attack](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Attack-Flow-1024x649.png\")
<\/figure>\n\n\n\nThe attack orchestrated through @0xengine\/xmlrpc operates through a sophisticated multi-stage approach that combines cryptocurrency mining with data exfiltration capabilities. The malicious functionality, concealed within validator.js, remains dormant until executed through one of two vectors:<\/p>\n\n\n\n
- \n
- Direct package users execute any command with the ‘–targets’ or ‘-t’ flag. This activation occurs when running the package’s validator functionality, which masquerades as an XML-RPC parameter validation feature.<\/li>\n\n\n\n
- Users installing the “yawpp” WordPress tool from GitHub automatically receive the malicious package as a dependency. The malware activates when running either of yawpp’s main scripts (checker.js or poster.js), as both require the ‘–targets’ parameter for normal operation.<\/li>\n<\/ul>\n\n\n\n
This implementation ensures the malware activates through legitimate-looking tool usage, making detection more difficult.<\/p>\n\n\n\n
Initial Compromise<\/h2>\n\n\n\n
Once triggered, the malware begins gathering system information:<\/p>\n\n\n\n
![\"Deobfuscated](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/system-gather-1024x292.png\")
Deobfuscated version of the system information gathering code<\/figcaption><\/figure>\n\n\n\n Following the initial data collection phase, the malware deploys its cryptocurrency mining component with a particular focus on Linux systems. The deployment process involves downloading additional payloads from a Codeberg repository disguised as system authentication services. The mining operation utilizes XMRig to mine Monero cryptocurrency, directing all mining rewards to a predetermined wallet address while connecting to the mining pool.<\/p>\n\n\n\n
![\"Deobfuscated](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/downloading-crypto-minor-1024x292.png\")
Deobfuscated configuration revealing the attacker’s Codeberg repository URLs used to fetch mining components<\/em><\/figcaption><\/figure>\n\n\n\n These downloaded components include:<\/p>\n\n\n\n
- \n
- XMRig: The actual cryptocurrency mining software<\/li>\n\n\n\n
- xprintidle: Used to detect user activity<\/li>\n\n\n\n
- Xsession.sh: The main script that orchestrates the mining operation<\/li>\n<\/ul>\n\n\n\n
The mining operation is configured with specific parameters targeting Monero:<\/p>\n\n\n\n
![\"Monero](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/wallet-data-1024x230.png\")
Monero mining configuration found in the downloaded Xsession.sh script<\/figcaption><\/figure>\n\n\n\n At the time of our investigation, we observed 68 miners actively connected to this wallet address through the hashvault.pro mining pool, indicating a possible significant number of compromised systems actively mining cryptocurrency for the attacker.<\/p>\n\n\n\n
![\"Monero](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Miners-1024x903.png\")
<\/figure>\n\n\n\nSophisticated Evasion Mechanisms<\/h2>\n\n\n\n
The malware implements an advanced process monitoring system to avoid detection. It maintains a list of monitoring tools and continuously checks for their presence.<\/p>\n\n\n\n
![\"Deobfuscated](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/checking-for-monitoring-processes-1024x445.png\")
Deobfuscated version of the process monitoring evasion logic found in Xsession.sh – checks for and terminates mining when system monitoring tools are detected<\/figcaption><\/figure>\n\n\n\n The malware also carefully monitors user activity through the xprintidle utility. It only initiates mining operations after a specified period of inactivity (default: 1 minute) and immediately suspends operations when user activity is detected. This behavior is controlled by the INACTIVITY_IN_MINS parameter.<\/p>\n\n\n\n
![\"INACTIVITY_IN_MINS](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/checking-for-inactivity-1024x230.png\")
<\/figure>\n\n\n\nMaintaining Persistence<\/h2>\n\n\n\n
To ensure long-term survival on infected systems, the malware establishes persistence through systemd, disguising itself as a legitimate session authentication service named “Xsession.auth”. This service is configured to automatically start with the system, ensuring the mining operation resumes after system reboots. The malware also implements a daily check-in mechanism, regularly sending system status updates and potentially receiving new commands or configurations.<\/p>\n\n\n\n
![\"Deobfuscated](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/Persistence-1024x387.png\")
Deobfuscated systemd service configuration from Xsession.sh used for maintaining persistence<\/figcaption><\/figure>\n\n\n\n Data Exfiltration Pipeline<\/h2>\n\n\n\n
The malware implements a comprehensive data collection and exfiltration system that operates continuously. Every 12 hours, it performs a systematic collection of sensitive system information through a “daily_tasks” function found in Xsession.sh:<\/p>\n\n\n\n
![\""daily_tasks"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/daily-task-1024x406.png\")
<\/figure>\n\n\n\nDuring each collection cycle, the malware systematically gathers a wide range of sensitive data including:<\/p>\n\n\n\n
- \n
- SSH keys and configurations from ~\/.ssh<\/li>\n\n\n\n
- Command history from ~\/.bash_history<\/li>\n\n\n\n
- System information and configurations<\/li>\n\n\n\n
- Environment variables and user data<\/li>\n\n\n\n
- Network and IP information through ipinfo.io<\/li>\n<\/ul>\n\n\n\n
![\"Dropbox](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/data-Collection-1024x505.png\")
<\/figure>\n\n\n\n
![\"Consnt](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/dropbox-1024x336.png\")
<\/figure>\n\n\n\n![\"const](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/file-io-1024x336.png\")
<\/figure>\n\n\n\n