Researchers have discovered a typosquatting npm package concealing a full-service Discord remote access Trojan (RAT) that offers rootkit functionality. The malware, dubbed “DiscordRAT 2.0,” functions as a turnkey hacking tool that’s perfect for newbies, and it lowers the barrier to entry for pulling off open source software supply chain attacks.
In this case, the package — “node-hide-console-windows” — was made to closely resemble a legitimate package, node-hide-console-window, a simple module for toggling an app’s console window visibility, which is downloaded 300 or so times every week. The malicious npm entry was made to look nearly identical to the original’s, including uploading 10 separate versions to match the original’s count.
The ruse worked: The copycat with an added “s” was downloaded around 700 times before being taken down.
“Open source has many, many benefits, and I think the benefits far outweigh the drawbacks,” says Ashlee Bengee, ReversingLabs’ director of threat intelligence advocacy. “But having that kind of software out there allows for this malicious behavior to be hidden very easily.”
A Fake Package Hiding a Real Rootkit
When ReversingLabs researchers first came upon the copycat package — suspiciously uploaded on Aug. 25 by a new account and not connected to any other npm projects — they discovered unobfuscated malicious code inside of its “index.js” file. Upon running, the malicious file downloaded an executable file: a copy of DiscordRAT 2.0.
DiscordRAT 2.0 is a compact, C#-based remote hacking tool. According to its GitHub page, it’s meant “for educational use only,” though the sincerity in that sentiment is in question.
“A lot of these are released under the guise of being for educational purposes, and they do have that function, I suppose, which is good for defenders. But at the same time, it’s also really easy for anyone with very minimal knowledge to go and download malware that’s freely available on something like GitHub. And it’s very easy to launch an email campaign with that malware just attached directly,” Bengee points out.
Crucially, users of DiscordRAT 2.0 manage their victims with little expertise required, via individual Discord channels. The tool provides them with dozens of easy-to-use commands for stealing credentials, manipulating files, killing processes, or even bluescreening a host computer.
Most notable of all, however, is its command, “!rootkit.”
Hacking Made Accessible and Easy
The !rootkit function within DiscordRAT 2.0 triggers the execution of a second open source malware, the r77 rootkit.
The code is a “rootkit that hides everything” — TCP and UDP connections, files and directories, processes and CPU usage, and more — according to its GitHub page. Any hacker with administrative privileges can use it to stealthily establish persistence on a host, perform malicious activities, and access highly privileged data — without a lot of know-how.
That an open source, full-service, turnkey RAT packs this kind of punch signals just how little expertise even hackers have to have, and how little effort they need to put in, in order to perform even relatively sophisticated attacks.
“It’s just really opened the doors for would-be attackers,” Bengee says, “especially because this has become such an easy way to make a quick buck.”