Cybersecurity researchers have flagged a brand new evolution of the GlassWorm marketing campaign that delivers a multi-stage framework able to complete knowledge theft and putting in a distant entry trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline model of Google Docs.
“It logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo,” Aikido safety researcher Ilyas Makari stated in a report revealed final week.
GlassWorm is the moniker assigned to a persistent marketing campaign that obtains an preliminary foothold by rogue packages revealed throughout npm, PyPI, GitHub, and the Open VSX market. As well as, the operators are identified to compromise the accounts of undertaking maintainers to push poisoned updates.
The assaults are cautious sufficient to keep away from infecting programs with a Russian locale and use Solana transactions as a lifeless drop resolver to fetch the command-and-control (C2) server (“45.32.150[.]251”) and obtain working system-specific payloads.
The stage two payload is a data-theft framework with credential harvesting, cryptocurrency pockets exfiltration, and system profiling capabilities. The collected knowledge is compressed right into a ZIP archive and exfiltrated to an exterior server (“217.69.3[.]152/wall”). It additionally incorporates performance to retrieve and launch the ultimate payload.
As soon as the information is transmitted, the assault chain entails fetching two further elements: a .NET binary that’s designed to hold out {hardware} pockets phishing and a Websocket-based JavaScript RAT to siphon internet browser knowledge and run arbitrary code. The RAT payload is fetched from “45.32.150[.]251” through the use of a public Google Calendar occasion URL as a lifeless drop resolver.
The .NET binary leverages the Home windows Administration Instrumentation (WMI) infrastructure to detect USB gadget connections and shows a phishing window when a Ledger or Trezor {hardware} pockets is plugged in.
“The Ledger UI displays a fake configuration error and presents 24 numbered recovery phrase input fields,” Makari famous. “The Trezor UI displays a fake “Firmware validation failed, initiating emergency reboot” message with the same 24-word input layout. Both windows include a ‘RESTORE WALLET’ button.”
The malware not solely kills any actual Ledger Dwell processes operating on the Home windows host, but additionally re-displays the phishing window if the sufferer closes it. The top purpose of the assault is to seize the pockets restoration phrase and transmit it to the IP handle “45.150.34[.]158.”
The RAT, alternatively, makes use of a Distributed Hash Desk (DHT) to retrieve the C2 particulars. Within the occasion the mechanism returns no worth, the malware switches to the Solana-based lifeless drop. The RAT then establishes communication with the server to run numerous instructions on the compromised system –
- start_hvnc / stop_hvnc, to deploy a Hidden Digital Community Computing (HVNC) module for distant desktop entry.
- start_socks / stop_socks, to launch a WebRTC module and run it as a SOCKS proxy.
- reget_log, to steal knowledge from internet browsers, similar to Google Chrome, Microsoft Edge, Courageous, Opera, Opera GX, Vivaldi, and Mozilla Firefox. The part is provided to bypass Chrome’s app-bound encryption (ABE) protections.
- get_system_info, to ship system data.
- command, to execute attacker-supplied JavaScript through eval().
The RAT additionally force-installs a Google Chrome extension named Google Docs Offline on Home windows and macOS programs, which then connects to a C2 server and receives instructions issued by the operator, permitting to assemble cookies, localStorage, the total Doc Object Mannequin (DOM) tree of the lively tab, bookmarks, screenshots, keystrokes, clipboard content material, as much as 5,000 browser historical past entries, and the put in extensions listing.
“The extension also performs targeted session surveillance. It pulls monitored site rules from /api/get-url-for-watch and ships with Bybit (.bybit.com) pre-configured as a target, watching for the secure-token and deviceid cookies,” Aikido stated. “On detection, it fires an auth-detected webhook to /api/webhook/auth-detected containing the cookie material and page metadata. The C2 can also supply redirect rules that force active tabs to attacker-controlled URLs.”
The invention coincides with yet one more shift in GlassWorm ways, with the attackers publishing npm packages impersonating the WaterCrawl Mannequin Context Protocol (MCP) server (“@iflow-mcp/watercrawl-watercrawl-mcp) to distribute malicious payloads.
“This is GlassWorm’s first confirmed move into the MCP ecosystem,” Koi safety researcher Lotan Sery stated. “And given how fast AI-assisted development is growing – and how much trust MCP servers are given by design – this won’t be the last.”
Builders are suggested to train warning on the subject of putting in Open VSX extensions, npm packages, and MCP servers. It is also beneficial to confirm writer names, package deal histories, and keep away from blindly trusting obtain counts. Polish cybersecurity firm AFINE has revealed an open-source Python instrument referred to as glassworm-hunter to scan developer programs for payloads related to the marketing campaign.
“Glassworm-hunter makes zero network requests during scanning,” researchers Paweł Woyke and Sławomir Zakrzewski stated. “No telemetry. No phone-home. No automatic update checks. It reads local files only. Glassworm-hunter update is the only command that touches the network. It fetches the latest IoC database from our GitHub and saves it locally.”
