Cybersecurity researchers have flagged a brand new evolution of the GlassWorm marketing campaign that delivers a multi-stage framework able to complete information theft and putting in a distant entry trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline model of Google Docs.
“It logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes instructions from a C2 server hidden in a Solana blockchain memo,” Aikido safety researcher Ilyas Makari mentioned in a report revealed final week.
GlassWorm is the moniker assigned to a persistent marketing campaign that obtains an preliminary foothold via rogue packages revealed throughout npm, PyPI, GitHub, and the Open VSX market. As well as, the operators are recognized to compromise the accounts of mission maintainers to push poisoned updates.
The assaults are cautious sufficient to keep away from infecting methods with a Russian locale and use Solana transactions as a lifeless drop resolver to fetch the command-and-control (C2) server (“45.32.150[.]251”) and obtain working system-specific payloads.
The stage two payload is a data-theft framework with credential harvesting, cryptocurrency pockets exfiltration, and system profiling capabilities. The collected information is compressed right into a ZIP archive and exfiltrated to an exterior server (“217.69.3[.]152/wall”). It additionally incorporates performance to retrieve and launch the ultimate payload.
As soon as the info is transmitted, the assault chain entails fetching two extra elements: a .NET binary that’s designed to hold out {hardware} pockets phishing and a Websocket-based JavaScript RAT to siphon internet browser information and run arbitrary code. The RAT payload is fetched from “45.32.150[.]251” by utilizing a public Google Calendar occasion URL as a lifeless drop resolver.
The .NET binary leverages the Home windows Administration Instrumentation (WMI) infrastructure to detect USB machine connections and shows a phishing window when a Ledger or Trezor {hardware} pockets is plugged in.
“The Ledger UI shows a pretend configuration error and presents 24 numbered restoration phrase enter fields,” Makari famous. “The Trezor UI shows a pretend “Firmware validation failed, initiating emergency reboot” message with the identical 24-word enter structure. Each home windows embody a ‘RESTORE WALLET’ button.”
The malware not solely kills any actual Ledger Dwell processes operating on the Home windows host, but in addition re-displays the phishing window if the sufferer closes it. The top purpose of the assault is to seize the pockets restoration phrase and transmit it to the IP handle “45.150.34[.]158.”
The RAT, alternatively, makes use of a Distributed Hash Desk (DHT) to retrieve the C2 particulars. Within the occasion the mechanism returns no worth, the malware switches to the Solana-based lifeless drop. The RAT then establishes communication with the server to run numerous instructions on the compromised system –
- start_hvnc / stop_hvnc, to deploy a Hidden Digital Community Computing (HVNC) module for distant desktop entry.
- start_socks / stop_socks, to launch a WebRTC module and run it as a SOCKS proxy.
- reget_log, to steal information from internet browsers, similar to Google Chrome, Microsoft Edge, Courageous, Opera, Opera GX, Vivaldi, and Mozilla Firefox. The element is supplied to bypass Chrome’s app-bound encryption (ABE) protections.
- get_system_info, to ship system data.
- command, to execute attacker-supplied JavaScript by way of eval().
The RAT additionally force-installs a Google Chrome extension named Google Docs Offline on Home windows and macOS methods, which then connects to a C2 server and receives instructions issued by the operator, permitting to assemble cookies, localStorage, the complete Doc Object Mannequin (DOM) tree of the energetic tab, bookmarks, screenshots, keystrokes, clipboard content material, as much as 5,000 browser historical past entries, and the put in extensions listing.
“The extension additionally performs focused session surveillance. It pulls monitored web site guidelines from /api/get-url-for-watch and ships with Bybit (.bybit.com) pre-configured as a goal, awaiting the secure-token and deviceid cookies,” Aikido mentioned. “On detection, it fires an auth-detected webhook to /api/webhook/auth-detected containing the cookie materials and web page metadata. The C2 can even provide redirect guidelines that drive energetic tabs to attacker-controlled URLs.”
The invention coincides with yet one more shift in GlassWorm techniques, with the attackers publishing npm packages impersonating the WaterCrawl Mannequin Context Protocol (MCP) server (“@iflow-mcp/watercrawl-watercrawl-mcp) to distribute malicious payloads.
“That is GlassWorm’s first confirmed transfer into the MCP ecosystem,” Koi safety researcher Lotan Sery mentioned. “And given how briskly AI-assisted growth is rising – and the way a lot belief MCP servers are given by design – this may not be the final.”
Builders are suggested to train warning relating to putting in Open VSX extensions, npm packages, and MCP servers. It is also really useful to confirm writer names, package deal histories, and keep away from blindly trusting obtain counts. Polish cybersecurity firm AFINE has revealed an open-source Python software known as glassworm-hunter to scan developer methods for payloads related to the marketing campaign.
“Glassworm-hunter makes zero community requests throughout scanning,” researchers Paweł Woyke and Sławomir Zakrzewski mentioned. “No telemetry. No phone-home. No automated replace checks. It reads native information solely. Glassworm-hunter replace is the one command that touches the community. It fetches the most recent IoC database from our GitHub and saves it regionally.”
