Fake Laravel packages in the Packagist Deploy RAT on Windows, macOS, and Linux
Cybersecurity researchers have flagged malicious Packagist PHP packages that masquerade as Laravel services that act as conduits for a cross-platform remote access Trojan (RAT) running on Windows, macOS, and Linux systems.
The names of the packages are listed below –
- nhattuanbl/lara-helper (37 Downloads)
- nhattuanbl/simple-queue (29 downloads)
- nhattuanbl/lara-swagger (49 downloads)
According to Socket, the “nhattuanbl/lara-swagger” package does not directly embed malicious code, it lists “nhattuanbl/lara-helper” as a compiler dependency, which makes it install the RAT. Packages are still available for download from the PHP package registry.
Both lara-helper and simple-queue were found to contain a PHP file named “src/helper.php,” which uses several tricks to complicate static analysis by using techniques such as flow control obfuscation, text domain names, command names, and file paths, and random identifiers for various names and functions.
“Once uploaded, the payload connects to the C2 server at helper.leuleu[.]net:2096, sends system test data, and waits for commands — giving the user full remote access to the host,” said security researcher Kush Pandya.
This includes sending system information and analysis commands received from the C2 server for subsequent use on the vulnerable host. Communication takes place over TCP using PHP’s stream_socket_client(). The list of supported commands is below –
- pingsending a heartbeat automatically every 60 seconds
- informationsending system retest data to the C2 server
- cmdto run a shell command
- powershellto run a PowerShell command
- runto run a shell command in the background
- screenshotto capture the screen using imagegrabscreen()
- downloadreading a file from disk
- uploadto a file on disk and grant it read, write, and execute permissions for all users
- Waitin the socket, then exit
“Using the shell, the RAT searches for disable_functions and chooses the first available method from: popen, proc_open, exec, shell_exec, system, passthru,” Pandya said. “This makes it resistant to standard PHP configuration.”
Although the C2 server is currently unresponsive, the RAT is configured to retry the connection every 15 seconds in a continuous loop, making it a security risk. Users who have installed the packages are advised to consider compromises, remove them, rotate all secrets accessible to the application environment, and inspect outgoing traffic to the C2 server.
Besides the three packages mentioned above, the threat actor behind the work published three other clean libraries (“nhattuanbl/lara-media,” “nhattuanbl/snooze,” and “nhattuanbl/syslog”), possibly in an attempt to build credibility and trick users into installing malicious ones.
“Any Laravel application that has lara-helper or simpleline installed uses a persistent RAT. A threat actor has full remote shell access, can read and write arbitrary files, and obtain a persistent system profile of each connected host,” said Socket.
“Because activation occurs at request startup (via a service provider) or on automatic class loading (via a simple queue), a RAT runs the same process as a web application with the same file system permissions and environment variables, including database credentials, API keys, and .env content.”
