The Ethers-Providerz Package: A Closer Look
Similarities with Ethers-Provider2
The ethers-providerz package is very similar to ethers-provider2, but earlier versions reveal the attackers experimented with different approaches until landing on the current implementation. For example, in that version the attackers tried to patch files from a package called strong>@ethersproject/providers.
The Additional File Loader.js
Also, the additional file loader.js that contains the download code for the third-stage payload is created in the node_modules folder, where usually all npm packages reside. The interesting part is that there is a legitimate npm package called loader.js that has over 24 million downloads and 5,200 dependent applications. If this package is already present locally, the malware will patch it. If it’s not, it will impersonate it.
Evasive Techniques Used by Attackers
"While not as common as infostealers on the npm platform, downloaders are far from uncommon and are frequently encountered," the ReversingLabs researchers said. "However, this downloader is notable because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered. These evasive techniques were more thorough and effective than we have observed in npm-based downloaders before."
Conclusion
In conclusion, the ethers-providerz package is a sophisticated tool used by attackers to hide malicious payloads. Its similarities with ethers-provider2 and the additional file loader.js created in the node_modules folder make it a challenging target for detection. The evasive techniques used by the attackers to hide the malicious payload make it a notable case study in the field of cybersecurity.
FAQs
Q: What is the purpose of the ethers-providerz package?
A: The purpose of the ethers-providerz package is to hide malicious payloads and deliver them to targeted systems.
Q: How does the package work?
A: The package works by creating a file loader.js that contains the download code for the third-stage payload in the node_modules folder. If the package is already present locally, the malware will patch it. If it’s not, it will impersonate it.
Q: What are some notable features of this downloader?
A: Some notable features of this downloader are its evasive techniques, such as patching legitimate npm packages and impersonating existing packages. These techniques make it more challenging to detect and remove the malicious payload.
Q: How common are downloaders on the npm platform?
A: While not as common as infostealers, downloaders are far from uncommon and are frequently encountered. However, this downloader is notable due to its exceptional strategies employed to hide the malicious payload.
