These malicious packages were tracked as:
Experts mention that the multiple existing versions of the okhsa package contain a code that starts the Calculator application during the pre-installation of Windows systems. In the okhsa code, the klow or klown packets are hidden, listed as dependencies.
After analyzing the packages, the researchers determined that behind this legitimate façade was hidden a cryptojacking tool, which is installed on the target system after malicious dependencies perform a scan and execute a script .bat .sh according to the system executed by the victim. Below is an example of the run script:
A scan on VirusTotal confirmed that the payload is a well-known cryptojacker. This malicious EXE runs inadvertently and in the background on the affected systems, although the following screenshot shows its execution process:
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
Originally published at https://www.securitynewspaper.com on October 22, 2021.