The popular NPM package ua-parser-js gathers over 8 million downloads per week, it is used to detect the client’s machine information including browser, OS, and more. On October 22 2021, the package developer’s NPM account has been hijacked and and was used to deploy malicious versions (0.7.29, 0.8.0, 1.0.0) of the package, resulting in a supply chain attack for systems that downloaded the malicious versions. The payload is said to be a password-stealing trojan (DANABOT) and it is downloaded and executed on the affected machines as create.dll.
See this article for more information about the whole behavior of the malicious versions of ua-parser-js.
As in the bleeping computer article, the password stealing trojan create.dll is run from the bat file (preinstall.bat) using the command “regsvr32.exe -s create.dll”, the -s switch prevents any messages being shown.
Upon execution of the malware, it loads the necessary libraries (wshtcpip.dll, mswsock.dll, ws2_32.dll) for communication to its C&C server.
These non-direct calls to API functions are one of its anti-analysis techniques to confuse debuggers.
It uses port 443 for its communications with the C&C server. The port and the C&C IP are stored in a sockaddr structure
Encrypted Communications
After the connection with the C&C is established, it uses advapi32.dll functions for its encrypted communications.
The malware uses the following functions for its encryption:
CryptAcquireContext: Used to obtain access to Cryptographic service provider (CSP). In this function call, the CRYPT_VERIFYCONTEXT flag is set which is usually used for “applications that are using ephemeral keys”. Cryptographic provider type is PROV_RSA_FULL. The output of this function is a handle to the CSP that is used to generate the session key in the CryptGenkey function
CryptGenKey: Used to generate a public/private key pair. Returns the handle to the newly generated key
CryptExportKey: Exports the public/private key pair. The handle of the key pair is passed to this function. This function returns Key BLOB data
CryptDestroyKey: Releases the handle created from CryptGenKey function
CryptReleaseContext: Releases the handle to the CSP returned by the CryptAcquireContext function
CryptEncrypt: Encrypts the data using the keys generated from previous API calls
CryptCreateHash: Initiates hashing of data. Returns a handle to CSP hash object
CryptHashData: Compute the cryptographic hash on a stream of data. The handle from CryptCreateHash is passed to this function
CryptDestroyHash: Destroys the handle created by the CryptCreateHash
After its encryption and hashing routine, it communicates with the C&C server using ws2_32.dll functions:
Although the pattern was found to be 0x24, 0x01 for its initial beaconing, encrypted communications prevent intrusion detection systems to match its signatures with the malware traffic as well as the data being exfiltrated from the machine.
Other indicators that your machine ran create.dll malware:
File named “Bynooty” on C:\ProgramData folder