The IP deal with returned by a package deal Phylum analyzed was: hxxp://193.233.201[.]21:3001.
Whereas the strategy was possible supposed to hide the supply of second-stage infections, it satirically had the impact of leaving a path of earlier addresses the attackers had used prior to now. The researchers defined:
An attention-grabbing factor about storing this information on the Ethereum blockchain is that Ethereum shops an immutable historical past of all values it has ever seen. Thus, we will see each IP deal with this menace actor has ever used.
On 2024-09-23 00:55:23Z it was hxxp://localhost:3001
From 2024-09-24 06:18:11Z it was hxxp://45.125.67[.]172:1228
From 2024-10-21 05:01:35Z it was hxxp://45.125.67[.]172:1337
From 2024-10-22 14:54:23Z it was hxxp://193.233[.]201.21:3001
From 2024-10-26 17:44:23Z it’s hxxp://194.53.54[.]188:3001
When put in, the malicious packages come within the type of a packed Vercel package. The payload runs in reminiscence, units itself to load with every reboot, and connects to the IP deal with from the ethereum contract. It then “performs a handful of requests to fetch further Javascript recordsdata after which posts system data again to the identical requesting server,” the Phylum researchers wrote. “This data consists of details about the GPU, CPU, the quantity of reminiscence on the machine, username, and OS model.”
Assaults like this one depend on typosquatting, a time period for using names that carefully mimic these of reliable packages however include small variations, comparable to people who would possibly happen if the package deal was inadvertently misspelled. Typosquatting has lengthy been a tactic for luring folks to malicious web sites. Over the previous 5 years, typosquatting has been embraced to trick builders into downloading malicious code libraries.
Builders ought to at all times double-check names earlier than working downloaded packages. The Phylum weblog submit offers names, IP addresses, and cryptographic hashes related to the malicious packages used on this marketing campaign.