Iran-Targeting Malware Infects Open Source Software
▼ Summary
– A new hacking group named TeamPCP is spreading a unique, self-propagating backdoor and a data wiper targeting Iranian machines.
– The group uses large-scale automation to compromise servers for activities like data theft, ransomware, and cryptocurrency mining.
– TeamPCP recently executed a supply-chain attack by compromising the GitHub account of Aqua Security to target the Trivy vulnerability scanner.
– Their worm-enabled malware automatically spreads by hijacking npm repository tokens and infecting software packages.
– The worm is controlled by a tamper-proof system using Internet Computer Protocol canisters to dynamically update its command servers.
A previously unknown hacking collective has been conducting a persistent and aggressive campaign across the internet, deploying a novel, self-spreading backdoor alongside a data wiper specifically designed for systems in Iran. Designated as TeamPCP, the group first came to the attention of cybersecurity analysts in December. Researchers at Flare noted the actors were using a worm to target insecurely configured cloud platforms, aiming to construct a distributed network for scanning and proxy services. This infrastructure was then leveraged for a range of malicious activities, including data theft, ransomware deployment, extortion, and cryptocurrency mining. The operation stands out for its sophisticated use of automation and its effective integration of established attack methods.
TeamPCP’s operations are characterized by their relentless evolution. The group consistently refines its malware to expand its control over infected systems. In a significant escalation last week, TeamPCP executed a supply-chain attack by compromising the GitHub account of Aqua Security, the developer of the popular Trivy vulnerability scanner. This breach allowed the hackers to insert malicious code into virtually all versions of the Trivy software, distributing their payload through a trusted source.
The campaign intensified over the weekend with the deployment of a new, highly potent worm. This malware possesses self-propagating capabilities, enabling it to spread to new machines automatically without any user interaction. Once a system is infected, the worm aggressively searches for access credentials to the npm repository. It then compromises any publishable packages it can access by creating new versions laced with its malicious code. Security firm Aikido documented the worm targeting 28 separate packages in under a minute, demonstrating its speed and efficiency.
Early iterations required an attacker to manually spread the worm across each accessible package. However, updated versions released recently removed this limitation, granting the malware significantly broader and more autonomous reach. Command and control for this worm is managed through an unusual and resilient mechanism. The operators use an Internet Computer Protocol-based canister, a form of tamper-proof smart contract designed to be impervious to third-party takedowns or alterations. This canister dynamically points infected machines to ever-changing URLs where malicious binaries are hosted. This architecture provides the attackers with a persistent and flexible command channel, allowing them to update server addresses at will. Compromised machines are configured to check in with this canister every 50 minutes, maintaining the connection for ongoing control.
(Source: Ars Technica)
