by The IP address returned by a packet analyzed by Phylum was: hxxp://193.233.201[.]21:3001.
Although the method was likely intended to hide the source of infections in the second phase, it ironically had the effect of leaving a trail of previous addresses that the attackers had used in the past. The researchers explained:
An interesting aspect of storing this data on the Ethereum blockchain is that Ethereum stores an immutable history of all values it has ever seen. So we can see every IP address this threat actor has ever used.
On 2024-09-23 00:55:23Z it was hxxp://localhost:3001
As of 2024-09-24 06:18:11Z it was hxxp://45.125.67[.]172:1228
As of 2024-10-21 05:01:35Z it was hxxp://45.125.67[.]172:1337
As of 10/22/2024 2:54:23 PM it was hxxp://193.233[.]201.21:3001
As of 26-10-2024 17:44:23Z it is hxxp://194.53.54[.]188:3001
Once installed, the malicious packages come in the form of a wrapped Vercel package. The payload runs in memory, sets itself to load on every restart, and connects to the IP address of the ethereum contract. It then “executes a handful of requests to retrieve additional JavaScript files and then posts system information back to the same requesting server,” the Phylum researchers wrote. “This information includes information about the GPU, CPU, the amount of memory on the machine, username and operating system version.”
Attacks like these rely on typosquatting, a term for using names that are very similar to those of legitimate packages but contain minor differences, such as those that might occur if the package is accidentally misspelled. Typosquatting has long been a tactic to lure people to malicious websites. Over the past five years, typosquatting has been embraced to trick developers into downloading malicious code libraries.
Developers should always double-check names before running downloaded packages. The Phylum blog post contains names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.
