"In addition to working as advertised, the secret-stealing library, which is a fork of the legitimate @whiskeysockets/baileys package, uses WebSocket to communicate with WhatsApp. However, this means that every WhatsApp communication passes through the socket wrapper, allowing it to capture your credentials when you log in and intercept messages as they are sent and received. "All your WhatsApp authentication tokens, every message sent or received, complete contact lists, media files - everything that passes through the API gets duplicated and prepared for exfiltration," Admoni wrote."
"The malware also uses a custom RSA implementation to encrypt the data, plus four layers of obfuscation - Unicode manipulation, LZString compression, Base-91 encoding, and AES encryption - before sending the stolen info to an attacker-controlled server. Plus, it backdoors the user's WhatsApp account via the chat app's device pairing process, linking the attacker's device to the victim's. This means even after uninstalling the malicious npm package, the attacker's device can remain linked to the unknowing user's WhatsApp account."
The lotusbail npm package has been available for six months and accumulated over 56,000 downloads. The package is a fork of the legitimate @whiskeysockets/baileys library and implements a working WhatsApp Web API using a WebSocket socket wrapper. Every WhatsApp communication passes through that wrapper, allowing capture of authentication tokens, messages, contact lists, and media. The package duplicates and prepares those secrets for exfiltration. The malware encrypts stolen data with a custom RSA implementation and four obfuscation layers (Unicode manipulation, LZString, Base-91, AES) before sending to an attacker-controlled server. The attacker can remain linked to victims' WhatsApp accounts via device pairing even after uninstall.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]