Cybersecurity researchers have flagged a malicious Packagist PHP package masquerading as a Laravel utility that acts as a vector for a cross-platform remote access trojan (RAT) that works on Windows, macOS, and Linux systems.
The names of the packages are listed below –
nhattuanbl/lara-helper (download 37) nhattuanbl/simple-queue (download 29) nhattuanbl/lara-swagger (download 49)
According to Socket, the RAT is installed because the package “nhattuanbl/lara-swagger” does not directly embed any malicious code and has “nhattuanbl/lara-helper” listed as a Composer dependency. Packages are still available for download from the PHP Package Registry.
Both lara-helper and simple-queue are found to contain a PHP file named “src/helper.php”. This file uses many tricks to complicate static analysis, utilizing techniques such as control flow obfuscation, encoding of domain names, command names, and file paths, and randomized identifiers in variable and function names.
“Once loaded, the payload connects to the C2 server at helper.leuleu.[.]net:2096 sends system reconnaissance data and waits for commands. This gives the operator full remote access to the host,” said security researcher Kush Pandya.
This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. Communication is done over TCP using PHP’s stream_socket_client(). The list of supported commands is below –
ping, automatically sends a heartbeat every 60 seconds info, sends system reconnaissance data to the C2 server cmd, runs a shell command powershell, runs a PowerShell command run, runs a shell command in the background screenshot, captures the screen using imagegrabscreen() downloads, reads files from disk uploads, grants read, write, and execute permissions to files on disk to all users stop, access sockets, and exit
“When executing a shell, the RAT looks at disable_functions and chooses the first available method: popen, proc_open, exec, shell_exec, system, passthru,” Pandya said. “This makes it more resilient to common PHP hardening configurations.”
Although the C2 server is currently unresponsive, the RAT is configured to retry the connection every 15 seconds in a persistent loop, which poses a security risk. We recommend that users who have installed the package assume a compromise, remove the package, rotate all accessible secrets from the application environment, and audit outbound traffic to the C2 server.
In addition to the three packages mentioned above, the attacker behind this operation exposes three other libraries: ‘nhattuanbl/lara-media’, ‘nhattuanbl/snooze’, and ‘nhattuanbl/syslog’. These are clean and likely aimed at building trust and tricking users into installing malicious packages.
“Laravel applications with lara-helper or simple-queue installed are running a persistent RAT. Threat actors have full remote shell access, can read and write arbitrary files, and receive continuous system profiles for each connected host,” Socket said.
“Because activation occurs at application startup (via a service provider) or class autoload (via a simple queue), the RAT runs in the same process as the web application, using the same file system permissions and environment variables such as database credentials, API keys, and .env content.”
Source link
