Kaspersky ya sami AdaptixC2 ya bazu ta hanyar npm typosquatting

Sabuntawa na karshe: 10/22/2025
Author: C SourceTrail
  • Kunshin npm na mugunta "https-proxy-utils" ya isar da wakilin AdaptixC2 ta hanyar rubutun shigarwa.
  • An yi amfani da harin da aka yi amfani da typosquatting don yin kwaikwayi abubuwan amfani da wakili da aka zazzage ko'ina a cikin yanayin yanayin npm.
  • Isar da dandamali yana goyan bayan Windows, macOS, da Linux tare da kayan aikin gini na sane.
  • Masu bincike sun buga IoCs da shawarwarin ragewa, lura da an cire kunshin daga npm.

AdaptixC2 harin sarkar samar da kayayyaki

A cikin Oktoba 2025, manazarta tsaro a Kaspersky sun yi cikakken bayani game da wani daidaita sarkar samar da niyya da ke niyya ga yanayin yanayin npm wanda ya yi fasakwaurin AdaptixC2 bayan amfani da wakili ta hanyar kunshin kama-karya mai suna https-proxy-utils. Kunshin ya fito azaman mataimaki na wakili amma a hankali ya debo kuma ya gudanar da nauyin AdaptixC2 yayin shigarwa.

Aikin ya dogara kan classic typosquatting a kan shahararrun npm modules. Ta hanyar sake maimaita sunaye kamar http-proxy-agent (~ 70M zazzagewar mako-mako) da https-proxy-agent (~ 90M), da halayyar cloning daga wakili-daga-env (~ 50M), kunshin dan damfara ya kara amincin sa - har sai rubutun da aka shigar da boye ya mika iko ga AdaptixC2. A lokacin rahoto, maƙaryacin ya kasance cire daga cikin npm rajista.

Bayarwa-dandamali na biyan kuɗi

Masu bincike sun ba da rahoton cewa mai sakawa ya dace da OS mai masauki tare da daban-daban loading da dagewa na yau da kullum. A kan Windows, wakilin ya zo a matsayin DLL a ƙarƙashin C:\Windows\Tasks. Rubutun ya kwafi halal msdtc.exe a cikin waccan jagorar kuma ya kashe shi don ɗaukar ɗakin karatu na ɓarna - ƙirar da aka tsara zuwa dabarar MITER ATT&CK T1574.001 (Dokar Neman DLL).

A kan macOS, rubutun ya jefar da mai aiwatarwa cikin Library/LaunchAgents da halitta a plist don autorun. Kafin zazzagewa, dabaru sun bincika dangin CPU kuma sun dawo da ginin da ya dace, x64 ko ARM, don dacewa da tsarin manufa.

Runduna Linux sun sami tsarin gine-ginen da ya dace da binary a ciki /tmp/.fonts-unix, inda saitin rubutun ke aiwatar da izini don farawa nan take. Wannan Isar da kayan aikin CPU (x64/ARM) tabbatar da cewa wakili zai iya tafiya akai-akai a cikin jiragen ruwa daban-daban.

A ko'ina cikin dandamali, ƙugiya bayan shigar da ita ta yi aiki azaman fararwa ta atomatik, Ba buƙatar wani aikin mai amfani da hannu da zarar mai haɓakawa ya shigar da kunshin - babban dalilin da yasa cin zarafin sarƙoƙi a cikin manajan fakitin ya kasance mai kawo cikas.

AdaptixC2 dabarun giciye-dandamali

Abin da AdaptixC2 ke ba da damar kuma me yasa wannan ke da mahimmanci

Farkon bayyanar da jama'a a farkon 2025 - kuma an gan shi cikin mummunan amfani tun farkon bazara - AdaptixC2 an tsara shi azaman Tsarin amfani bayan-masu kwatankwacin Cobalt Strike. Da zarar an dasa shi, masu aiki za su iya yin damar nesa, aiwatar da umarni, sarrafa fayil da sarrafa tsari, da kuma bi zaɓuɓɓukan dagewa da yawa.

Waɗannan fasalulluka suna taimaka wa abokan gaba su ci gaba da samun dama, gudanar da bincike, da aiwatar da matakai a cikin mahalli masu haɓakawa da kayan aikin CI/CD. A takaice, abin dogaro na iya juyar da shigarwa na yau da kullun zuwa cikin wani ingantaccen kafa don motsi na gefe.

Lamarin npm shima yayi daidai da tsari mai faɗi. Makonni kadan a baya, da Shai-Hulud tsutsa yada ta hanyar dabarun shigarwa zuwa daruruwan fakiti, yana nuna yadda maharan ke ci gaba da yin amfani da makamai amintattun sarƙoƙin samar da tushen tushe.

Binciken Kaspersky yana danganta isar da npm zuwa ga mai ƙwazo mai gamsarwa cewa haɗakar aikin wakili na ainihi tare da boye dabaru dabaru. Haɗin ya sa barazanar ta fi wahalar gano yayin sake duba lambar ko fakitin metadata.

Bayanin tsarin tsarin AdaptixC2

Matakai masu amfani da alamu don kallo

Ƙungiyoyi za su iya rage fallasa ta hanyar ƙarfafa tsabtace fakiti: tabbatar da ainihin sunaye kafin shigarwa, bincika sabbin ma'ajiyar ajiya ko maras so, da bibiyar shawarwarin tsaro don alamun abubuwan da aka lalata. Inda zai yiwu, nau'ikan fil, kayan aikin madubi, da ƙofa suna yin gini da su manufofin-kamar code da SBOM cak.

Kunshin maɓalli da hashes

  • Sunan kunshin: https-proxy-utils
  • DFBC0606E16A89D980C9B674385B448E - kunshin zanta
  • B8E27A88730B124868C1390F3BC42709
  • 669BDBEF9E92C3526302CA37DC48D21F
  • EDAC632C9B9FF2A2DA0EACAAB63627F4
  • 764C9E6B6F38DF11DC752CB071AE26F9
  • 04931B7DFD123E6026B460D87D842897

Alamun hanyar sadarwa

  • cloudcenter[.]top/sys/update
  • Cloudcenter[.] saman/macos_update_arm
  • Cloudcenter[.] saman/macos_update_x64
  • cloudcenter[.] saman/macosUpdate[.]plist
  • Cloudcenter[.] saman/linux_update_x64
  • Cloudcenter[.] saman/linux_update_arm

Yayin da aka saukar da kunshin npm mai laifi, ya kamata ƙungiyoyi duba shigar da dogara kwanan nan, farautar alamomin da ke sama, da kuma bitar tsarin don binaries mara tsammani a ciki C:\Windows\Tasks, Library/LaunchAgents, ko /tmp/.fonts-unix - musamman inda rubuce-rubucen shigarwa an ba su izinin gudu.

AdaptixC2 Manuniya da amsa

Shari'ar AdaptixC2 npm ta kawo tare tabbataccen kwaikwaiyo, tura dandamalin giciye mai sarrafa kansa, da iya sarrafa kayan aikin C2, yana kwatanta yadda dogaro guda ɗaya zai iya buɗe kofa don samun dama mai tsawo; ci gaba da taka-tsan-tsan game da zaɓin kunshin, gina bututun mai, da na'urorin sadarwa suna da mahimmanci don toshe wannan salon harin.

Shafi posts: