ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here's an in-depth look at our discovery — and threat analysis.
Note: This analysis was updated on Friday, Sept. 23 with new information on an additional MachO executable.
Highlighting the rise in risk from open source software repositories, ReversingLabs researchers discovered a new technique that threat actors are using to sow open source repositories with malicious code: a malicious npm package masquerading as Material Tailwind, which is described on their website as “an easy to use components library for Tailwind CSS and Material Design.”
Both of these components are recognizable names and massively popular libraries among developers, netting millions of downloads each. Tailwind specifically serves as an open-source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects.
In contrast, the malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script, which downloads a password protected zip file that contains a malicious executable: a custom-packed Windows executable capable of running PowerShell scripts.
The ReversingLabs research team spotted the package using our Titanium Platform, which tracks software behaviors, specifically looking for packages that contain obfuscated code. Here's our in-depth overview of how we came across this package, as well as how our team deobfuscated the malicious code to gain insight into the threat actor’s methods, and indicators of compromise (IOCs) that can help your organization determine whether or not you have been compromised.
Obfuscated code: A red flag in npm packages
Unlike the previous research cases, however, the threat actor responsible for Material Tailwind did quite a good job at making the package description as convincing as possible. Upon closer inspection, however, we noted that the package description is, in fact, copied from another npm package named tailwindcss-stimulus-components. The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind. The malicious package also successfully implements all of the functionality provided by the original package.
Postinstall scripts get executed immediately after package installation. This is why they are a quite popular mechanism for achieving code execution among threat actors. From the perspective of a threat researcher: an obfuscated script that is set to run immediately after installation is a (big) red flag.
In the case of Material Tailwind, the obfuscated script was deobfuscated and its content was analyzed in detail.
Figure 1: npm module imports
Looking at the deobfuscated script content, the list of imported modules already looks suspicious. It contains modules for file system operations, encryption, network communication, archive decompression and process manipulation.
The module first sends a POST request with platform information to a specific IP address and validates that it is executed on a Win32 system. Then it constructs a download link containing the type of the operating system. It also adds a parameter which is probably used to validate that the download request is coming from the victim's machine. This parameter is generated by performing a bcrypt hash of the victim's IP address and removing the first 7 bytes from the hash value.
Figure 2: Code responsible for stage 2 download
The downloaded file is a password protected zip archive named DiagnosticsLogger.zip which contains only one file, and it is named DiagnosticsHub.exe. The name of the executable varies between different versions of the package. For the current ZIP archive version, the password that encrypts its contents is “J##$dj&%qvvV89”. Since the archive contains only one file, password protection is likely used to avoid basic antivirus checks.
The chosen file names suggest that the attacker is trying to disguise the payload as some kind of diagnostic tool. Finally, the script spawns a child process that executes the downloaded file using cmd /c command.
The downloaded Windows executable implements several protections to frustrate analysis. It is packed with a custom runtime packer. The Assembly unpacking routine utilizes xmm registers. Typically used for high precision math, they’re abused here for evading security solutions. The malicious code also performs long sleep delays in its execution, another effort to avoid detection. While running, the Windows executable tries to contact trustworthy domains like google.com to verify that it has internet access, and detect if it is executing in a sandboxed environment.
Figure 3: Base64 decrypted powershell command creating Scheduled Task
Packed information includes several Powershell code snippets responsible for command and control, communication, and process manipulation. Persistence is achieved by executing a base64 encoded Powershell command which sets up a scheduled task to be executed daily.
At stage 2, the malware fetches a XOR encrypted and base64 encoded file from a public Google Drive link. In case this link isn’t accessible two alternative download locations exist, one at Github and another one at OneDrive. The XOR key it uses for decryption is the hardcoded string “AJUHKJHOIU351q23AJKI8i7y”.
Figure 4: Google drive file decryption routine
At the time of publication, the encrypted file contains a single IP address, which is the location of its command and control (C2) server, from which the malware receives encrypted instructions using a dedicated socket connection. During dynamic analysis of the malware the C2 server responded with a command indicating that the status of the victims machine wasn’t initialized, which triggered execution of a Powershell command performing a directory listing of the “C:\Program Files” and “C:\Program Files (x86)” folders. The output was stored in the “C:\ProgramData\DiagnosticsLog\Diagnost.log” file, probably to be uploaded to the C2 server later.
Figure 5: Powershell directory listing command
MachO executable (update as of 9/23/2022)
The malicious package was initially reported to the npm security team on Monday, Sept. 20. The npm security team responded quickly, removing the affected package within 24 hours. But while they removed it from the npm package repository, they didn’t replace it with a security holder version, like they usually do. That gave the attacker an opportunity to publish new versions under the same package name, which happened on Thursday, Sept. 22. Three new versions were published, and they contained modified versions of the postinstall script.
Figure 6: Updated code responsible for stage 2 download
The new versions added code which triggers if the package is installed on Darwin operating system. In that case, instead of a password protected zip file, a different archive containing two MachO files compiled for ARM and x86-64 architectures, is downloaded and executed on the compromised machine.
MachO executables are much simpler than the described Windows executables. Important strings are created by concatenating ASCII characters during execution. Persistence is acquired by creating LaunchAgents, a technique typical for macOS malware. The file name suggests that malware tries to mimic the legitimate CoreSimulator framework related to the Xcode developer toolset used for developing macOS applications. Instructions are fetched from C2 server by performing curl request, and curl output is then redirected to sh command for execution.
Cross platform support, and the fact that new versions of the package were released quickly after the removal of the first ones, shows that a skilled actor is behind this malware — one that is determined to keep this malware operational.
Imposter packages are on the rise
This Material Tailwind attack is just the latest example of a growing trend: malicious npm packages that attempt to fool developers by posing as legitimate packages. For example, in the IconBurst campaign that we first discovered and disclosed in early July, we noted malicious npm packages that name-squatted on heavily-used and legitimate packages, which hid their malicious content using code obfuscation.
In this case the complexity of the malware tactics leads to a conclusion that sophisticated actors could be behind this attack. For now, our analysis of the situation tells us that Material Tailwind’s stage two payload can be classified as a fully functional Trojan malware. It uses a lot of techniques to complicate reverse engineering. Additionally, IP redirection using a file hosted on a legitimate service like Google Drive is also performed before the communication with the actual C2 server.
Given the advanced nature of this malicious package and the fact that it is imitating widely used software development libraries, it is safe to assume that threat actors feel emboldened to continue taking advantage of open source repositories. And as their evasion techniques become more advanced over time, it is essential for software development shops to use a product like ReversingLabs Titanium Platform to spot malicious activity, and keep a close eye on application behaviors prior to including a new third-party dependency in their software.
Future updates regarding this incident will be shared in this blog post.
Indicators of Compromise (IoC)
Stage 2 PE payload:
MachO stage 2 archive:
MachO stage 2 payload:
Stage 2 IP redirect providers:
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- Get the report and take action: The State of Supply Chain Security 2024
- Join the discussion: State of Software Supply Chain Security Webinar
- See Gartner's guidance on managing software supply chain risk