Tweet
A mysterious threat actor has left a trail of hidden messages for the researchers investigating their attacks.
Cybersecurity firm Checkmarx recently published a blog post on a threat actor dubbed RED-LILI, which has been distributing malicious NPM packages using automatically created user accounts.
The company also created the RED-LILI Tracker to share information about the attacker’s packages with the community.
However, the latest findings suggest RED-LILI has not taken kindly to the attention from researchers at Checkmarx.
https://cdn.mos.cms.futurecdn.net/ybbmQ8p4Q999AkMWkW8HLm.jpg
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
[HEADING=1]Secret messages[/HEADING]
RED-LILI responded to the blog by changing up its tactics. Besides trying to make the malicious packages seem more credible, and obfuscating the malicious code, the threat actor also started leaving messages to the researchers.
These messages were being delivered through package names, which “diverged from the normal pattern”, including:
[ul]
[li]dontbelikethat[/li][li]notsobrilliant[/li][li]dontgothereever[/li][li]dontblowthisoff [/li][li]heisnotwhatyousee[/li][li]helloboy634[/li][li]nosoawesome232[/li][li]F**kyouscanner[/li][/ul]
Since the initial report, RED-LILI slowed down and paused the burst automation attacks, the researchers found. RED-LILI also dumped old domain names and registered a new domain: 22timer[.]ga.
Read more
The researchers believe the next wave of the attack is yet to come, as RED-LILI now explores and publishes cherry-picked packages, each with its own unique evasion mechanism.
“However, the attacker’s thumbprint still remains as they re-use similar characteristics (code similarity, same identifying strings, etc.),” the researchers concluded.
“In recent packages, they are doing it while exfiltrating the data they collect to previously unknown addresses on different services, from what we have seen before such as free webhook services, for example, pipedream and requestbin.”
A detailed breakdown of the group’s methods, as well as all the package names that have so far been uncovered, can be found here.
[ul]
[li]Defend your premises with the best malware protection out there[/li][/ul]
Continue reading…
Cybersecurity firm Checkmarx recently published a blog post on a threat actor dubbed RED-LILI, which has been distributing malicious NPM packages using automatically created user accounts.
The company also created the RED-LILI Tracker to share information about the attacker’s packages with the community.
However, the latest findings suggest RED-LILI has not taken kindly to the attention from researchers at Checkmarx.
https://cdn.mos.cms.futurecdn.net/ybbmQ8p4Q999AkMWkW8HLm.jpg
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
[HEADING=1]Secret messages[/HEADING]
RED-LILI responded to the blog by changing up its tactics. Besides trying to make the malicious packages seem more credible, and obfuscating the malicious code, the threat actor also started leaving messages to the researchers.
These messages were being delivered through package names, which “diverged from the normal pattern”, including:
[ul]
[li]dontbelikethat[/li][li]notsobrilliant[/li][li]dontgothereever[/li][li]dontblowthisoff [/li][li]heisnotwhatyousee[/li][li]helloboy634[/li][li]nosoawesome232[/li][li]F**kyouscanner[/li][/ul]
Since the initial report, RED-LILI slowed down and paused the burst automation attacks, the researchers found. RED-LILI also dumped old domain names and registered a new domain: 22timer[.]ga.
Read more
Microsoft Azure developers targeted with flood of malicious npm packages
Another popular npm package infected with malware
Hackers inject malicious code into another popular npm library
Another popular npm package infected with malware
Hackers inject malicious code into another popular npm library
“However, the attacker’s thumbprint still remains as they re-use similar characteristics (code similarity, same identifying strings, etc.),” the researchers concluded.
“In recent packages, they are doing it while exfiltrating the data they collect to previously unknown addresses on different services, from what we have seen before such as free webhook services, for example, pipedream and requestbin.”
A detailed breakdown of the group’s methods, as well as all the package names that have so far been uncovered, can be found here.
[ul]
[li]Defend your premises with the best malware protection out there[/li][/ul]
Continue reading…