Based on GitHub Advisory Database:
https://github.com/advisories/GHSA-g2q5-5433-rhrf – Embedded malware in rc
https://github.com/advisories/GHSA-73qr-pfmq-6rp8 – Embedded malware in coa
rc affected versions:
= 1.2.9
= 1.3.9
= 2.3.9
coa affected versions:
= 2.0.3
= 2.0.4
= 2.1.1
= 2.1.3
= 3.0.1
= 3.1.3
We can utilize Carbon Black Investigate feature to see if there’s any malicious npm library been installed in our environments. Here’s the query to do that:
Search for effected coa & rc library versions:
(filemod_name:\coa-2.0.3* OR filemod_name:\coa-2.0.4* OR filemod_name:\coa-2.1.1* OR filemod_name:\coa-2.1.3* OR filemod_name:\coa-3.0.1* OR filemod_name:\coa-3.1.3* OR filemod_name:\rc-1.2.9* OR filemod_name:\rc-1.3.9* OR filemod_name:\rc-2.3.9*)
Search for possible C2:
netconn_domain:pastorcryptograph[.]at
IOC:
• pastorcryptograph[.]at
• sdd.dll from coa - SHA256: f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
• sdd.dll from rc - SHA256: 26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf
• sdd.dll - SHA256: 687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65
References:
https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/
https://www.virustotal.com/gui/file/687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65/detection/
https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-062.pdf