TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading. 

TeamPCP is a financially motivated threat actor that has long been assessed as a key, if not the key, culprit behind the Shai-Hulud self-replicating worm attacks, as well as various successor worms. Shai-Hulud, named after the sandworms from the popular science fiction novel Dune, is a self-replicating malware worm that began infecting node packet manager (NPM) packages last summer. 

A developer would download an open source software component that has been poisoned by the malware, the malware would infect that developer with an infostealer, and then the malware would use the developer’s compromised NPM accounts to publish poisoned dependencies of whatever packages that develop maintains — all without threat actor interference. The cycle would then repeat.

Shai-Hulud and similar worms have made a mess out of the open source development ecosystem in recent months, but despite a tidal wave of threat campaigns targeting developers, defenders acted quickly and the damage thus far has been somewhat limited

Related:Attackers Weaponize RubyGems for Data Dead Drops

With that in mind, we may be entering a new world of Shai-Hulud-based threats, as TeamPCP invited other threat actors to use the code in attacks. A Datadog blog post noted that GitHub removed the original May 12 repository, though follow-on forks persisted. 

Shai-Hulud Clones Infest NPM

In a research blog post published today, Patrick Münch, chief security officer (CSO) of vulnerability management vendor Mondoo, said a threat actor “uploaded four malicious packages from one [npm] account: a near-verbatim copy of Shai-Hulud with its own command-and-control infrastructure, three Axios typosquats, and a distributed denial of service (DDoS) botnet payload that conscripts infected machines into a flooding network.” 

Although the weekly downloads for all npm packages combined only total about 2,600, Münch argued that the real story here is that it shows a new frontier for software development supply chain attacks. More specifically, Shai-Hulud is a prototype for “a new paradigm of automated supply chain attack that weaponizes developer identity and the implicit trust baked into modern CI/CD pipelines.” 

With Shai-Hulud, typosquatting is only the first stage. A successful Shai-Hulud variant spreads through compromising developer accounts and updating trusted packages with malware. Münch said a wave of worms like this could disrupt the innate trust in these open source ecosystems that developers across the world rely on. 

Related:It’s Patch Tuesday for Microsoft & Not a Zero-Day In Sight

Adrian Culley, senior sales engineer at SafeBreach, tells Dark Reading that the Shai-Hulud release is less about bravado and more about TeamPCP running a marketing campaign for an access broker business. The malware command-and-control (C2) by default is attached to TeamPCP’s infrastructure, for example.

“The open source drop launders attribution behind a wave of copycats, the BreachForums contest is loss-leader pricing to recruit unpaid distribution, and every C2 those contestants stand up still feeds credentials into TeamPCP’s monetization pipeline,” he says. “The point isn’t the worm. The point is to overwhelm defenders while the credentials walk out the back door.”

Troubling Implications for Future Worms

This ties into what Münch called the most “uncomfortable detail” about the clones: attackers can apparently swap out the C2 and signing key without much consequence. 

“The headline clone, published as chalk-tempalte (a typosquat of the popular chalk-template package), is an almost direct copy of the leaked Shai-Hulud source,” he wrote. “The attacker swapped in their own C2 endpoint and their own signing key, did not bother with obfuscation, and shipped it. And it worked.”

Related:Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain

The infostealers on the back end varied between all four packages. One looked identical to the Shai-Hulud open source version, while the other three varied in capabilities. The reason this matters, Mondoo highlighted, is that the various infostealers appear to be “machine-assemnled.” Thus, an attacker can spin up multiple payloads and run four different malware packages simultaneously with little effort.  

As Culley puts it, defenders were able to beat Shai-Hulud last year because they were chasing one worm at a time. “From here they’re chasing a population — variants with different C2, different keys, different payloads, sharing enough DNA to be dangerous but not enough to share signatures.”

According to Mondoo’s blog post, turning on three controls in a package manager should neutralize the threat of Shai-Hulud and these clones. Developers should block life cycle scripts by default, enforce a release cooldown, and detect trust downgrades.

“Beyond the package manager, treat your CI/CD pipeline as an attack surface, not a deployment mechanism,” Münch wrote. “Audit which dependencies actually need install-time code execution and document why. Rotate any credentials that have been on developer workstations or CI runners that touched the affected packages. And do not assume that because the four packages flagged this week have low download counts, your environment is unaffected. The same techniques are being applied right now by actors who have not been caught yet.”





Source link

#

Comments are closed