Auditing NodeJs modules with YARA rules

rpgeeganage

Ruwan Pradeep Geeganage

Posted on April 6, 2021

Auditing NodeJs modules with YARA rules

Auditing NodeJs modules with YARA rules

https://github.com/rpgeeganage/audit-node-modules-with-yara

Recently I thought of pursuing my secret passion in the field of information security, specifically work related to malware analysis. While I was looking into static analysis methods, I came across YARA rules.

What is YARA?

Based on the VirusTotal website YARA is,

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic

An example of a YARA rule looks like this.
rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}
Enter fullscreen mode Exit fullscreen mode
You can get YARA from https://yara.readthedocs.io/en/stable/

Supply chain attacks

As I was reading through the latest security issues in the NodeJS ecosystem, one type of attack caught my attention, which is the supply chain attack.

According to Wikipedia, the supply chain attack described as follows.

A Supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.

In NodeJs, one of the methods is to create malicious packages and publish them to NPM. The following articles explain how to utilize malicious NPM packages to perform supplier chain attacks.

  1. Malicious packages in npm. Here’s what to do
  2. Malicious NPM packages target Amazon, Slack with new dependency attacks
  3. Hunting malicious NPM packages

My project to combine auditing NodeJS modules with YARA

To achieve this, I started setting up a small project. It is available at https://github.com/rpgeeganage/audit-node-modules-with-yara

Defining YARA rules for malicious packages

In this project, I created a couple of sample YARA rules based on article 1 mentioned above. These rules are available at https://github.com/rpgeeganage/audit-node-modules-with-yara/tree/master/yara_rules/package_json

(All of these packages have currently been removed from the NPM registry.)

A sample rule for babelcli@1.0.1 is as follows.

rule babelcli
{
    meta:
        name = "babelcli@1.0.1"

    strings:
        $name = /"name":\s"babelcli",/
        $version = /"version":\s"1.0.1"/

    condition:
        all of them
}
Enter fullscreen mode Exit fullscreen mode
https://github.com/rpgeeganage/audit-node-modules-with-yara/blob/master/yara_rules/package_json/babelcli_1_0_1.yara

Creating the runtime environment for YARA Executable

To provide a simple runtime environment for YARA, I choose the most convenient way, which is to create a Docker container.

Applying the YARA rules and handling the output

In this Docker container, I install all the applications needed to run YARA as well as a small NodeJs app. The special app (I called it executor) allows me to apply YARA rules and format the output as a JSON and store it in artifacts/output.json. The executor runs the following command.

yara --recursive --print-strings --fail-on-warnings \`find ${yaraRulesFolder} -type f -name "*.yara"\` ${folderToAudit}
Enter fullscreen mode Exit fullscreen mode

After the execution, results will be parsed as follows.

[
 {
  "rule": "evil_package_1",
  "string_information": [
   "0x6:$name: \"name\": \"nodecaffe\",",
   "0x1f:$version: \"version\": \"0.0.1\""
  ]
 },
 {
  "rule": "evil_package_2",
  "string_information": [
   "0x6:$name: \"name\": \"sqlserver\",",
   "0x1f:$version: \"version\": \"4.0.5\""
 } 
]
Enter fullscreen mode Exit fullscreen mode

Integration with the CI/CD pipeline

I thought integration with the CI/CD pipeline was important, as this checking process can help identify malicious NPM packages that can sneak into our repository. For integration with the CI/CD pipeline, I suggested something like the following.

#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run

# You need to install "jq" library if required

suspicious_file_count=$(jq length artifacts/output.json)

exit $suspicious_file_count
Enter fullscreen mode Exit fullscreen mode

Adding new rules

It is important to add new rules to detect new malicious packages or scripts. The new rules can be added to the yara_rules folder. The newly added rules will be applied to the specified node module folder the next time this project is run.

Improvements and future work

This is a very simple tool that can be improved with the help of the community. I myself am a noob when it comes to malware analysis and YARA rules. So, new pull requests, new rules, new suggestions are highly welcome and always appreciated.

💖 💪 🙅 🚩
rpgeeganage
Ruwan Pradeep Geeganage

Posted on April 6, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related