Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
AdaptixC2 Post-Exploitation Framework Spreads via Malicious NPM Package
Advertisements

Cybersecurity researchers have uncovered a malicious package in the npm ecosystem designed to distribute the AdaptixC2 post-exploitation framework. The package, named https-proxy-utils, successfully impersonated a legitimate utility by using a name deceptively similar to popular, trusted packages like http-proxy-agent and https-proxy-agent, which collectively have over 160 million weekly downloads. The threat actor also cloned functionality from another legitimate package, proxy-from-env, to complete the disguise.

The attack leverages a post-install script that activates after the package is installed. This script is responsible for downloading and executing the AdaptixC2 agent, a powerful tool considered an alternative to Cobalt Strike that grants attackers significant control over a compromised system.

Multi-OS Infection Vector

The malicious script is designed to be cross-platform, containing specific payload delivery methods for Windows, macOS, and Linux. This broad approach maximizes the potential victim pool for the attacker.

  • Windows: The agent is deployed as a DLL file in the C:\Windows\Tasks directory. It is then executed using a DLL sideloading technique by copying and running the legitimate msdtc.exe file from the same location.
  • macOS: The payload is downloaded into the user’s Library/LaunchAgents autorun directory, with a corresponding plist file to ensure it runs automatically. The script first checks the system architecture to fetch the correct x64 or ARM variant of the payload.
  • Linux: The agent is dropped into the /tmp/.fonts-unix directory. Similar to macOS, it selects an architecture-specific binary and assigns it execute permissions.

The Growing Threat to Open-Source Ecosystems

Once deployed, the AdaptixC2 agent provides attackers with capabilities for remote access, command execution, file management, and establishing persistence. This incident highlights a dangerous and growing trend of abusing trusted open-source software supply chains to distribute malware. It follows other high-profile incidents, such as the Shai-Hulud worm, which also used post-install scripts to infect hundreds of packages.

Developers and organizations are urged to exercise caution when installing open-source modules. It is crucial to verify package names, vet newer repositories, and monitor security feeds for news on compromised libraries to mitigate the risk of a supply chain attack.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading