"According to Socket, the package "nhattuanbl/lara-swagger" does not directly embed malicious code, lists "nhattuanbl/lara-helper" as a Composer dependency, causing it to install the RAT. The packages are still available for download from the PHP package registry."
"Both lara-helper and simple-queue have been found to contain a PHP file named "src/helper.php," which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names."
"Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands -- giving the operator full remote access to the host. This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host."
Three malicious PHP packages on Packagist—nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger—masquerade as Laravel utilities while distributing a cross-platform remote access trojan. The lara-swagger package indirectly installs the RAT by listing lara-helper as a dependency. Both lara-helper and simple-queue contain obfuscated PHP files using control flow obfuscation and encoded identifiers to evade detection. Once executed, the malware connects to a C2 server at helper.leuleu[.]net:2096, transmitting system reconnaissance data and awaiting commands. The RAT supports multiple operations including shell command execution, PowerShell commands, screenshot capture, file upload/download, and background process execution, providing attackers complete remote access to compromised systems.
#supply-chain-attack #remote-access-trojan #php-package-security #malware-distribution #cross-platform-threat
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]