A stealthy malware campaign has targeted developers through the open-source Rust ecosystem, masquerading as a legitimate utility for verifying Ethereum Virtual Machine (EVM) versions. The malicious crate, named `evm-units` and published under the author handle `ablerust`, successfully gained thousands of downloads before being identified and removed. This sophisticated attack exploited a common development practice, leveraging dependency chains to silently execute OS-specific payloads on unsuspecting users’ systems.
The `evm-units` crate, while appearing to offer EVM version checking functionalities, concealed a malicious payload loader. The core of the attack resided in the `get_evm_version()` function. Instead of a simple version string, this function was designed to decode a Base64 encoded payload, which included a command-and-control (C2) URL. This allowed the malware to fetch and execute further malicious code tailored to the victim’s environment.
OS-Specific Infection Logic Uncovered in EVM-Units Malware
Security analysts at Socket.dev were instrumental in uncovering the intricacies of this campaign. Their analysis revealed a deliberate focus on stealth and evasion, with the malware exhibiting highly customized behavior based on the target operating system. By inspecting the User-Agent headers, such as `linux`, `darwin` (for macOS), or `win32`, the malware determined which compatible payload to download and execute. This OS-specific infection logic highlights the attackers’ meticulous planning and efforts to maximize their reach and impact.
The sophistication of the malware is particularly evident in its `check()` function, which utilizes Rust’s conditional compilation attributes, specifically `#[cfg(target_os)]`. This allows different code blocks to be compiled and executed depending on the target operating system. On Linux and macOS systems, the malware downloads a script to the temporary directory and executes it using `nohup`. This command is designed to run the script in the background and prevent it from generating any visible output, ensuring the victim remains unaware of the malicious activity.
The Windows implementation of the malware demonstrates an even more complex approach to evading detection. It actively scans for the presence of `qhsafetray.exe`, a process associated with Qihoo 360, a popular Chinese antivirus software. If the Qihoo 360 antivirus is detected, the malware adapts its execution strategy. In contrast, if the antivirus is not found, the malware proceeds to construct and execute a VBScript. This VBScript is crafted to launch a hidden PowerShell instance, thereby circumventing standard security monitoring tools.
The malware’s ability to adapt when specific antivirus software is present is a testament to the attackers’ understanding of common security measures. By directly executing PowerShell with suppressed creation flags when Qihoo 360 is detected, the attackers aim to avoid triggering heuristic detection mechanisms that might flag suspicious process behavior. This level of adaptability suggests a targeted effort, likely aimed at users in Asian markets where Qihoo 360 is prevalent.
Furthermore, the threat actors employed the `danger_accept_invalid_certs(true)` function. This technique allows the malware’s infrastructure to use self-signed certificates for communication. By bypassing standard network security validation, this method complicates efforts to block the malicious domains and ensures greater resilience for the command-and-control infrastructure, making it harder for security teams to shut down the operation.
The secondary package, `uniswap-utils`, played a crucial role in amplifying the reach of `evm-units`. This package declared a dependency on the malicious crate, automatically invoking the tainted code during its initialization phase through the `#[ctor::ctor]` attribute. This dependency chaining effectively transformed `uniswap-utils` into a Trojan horse, delivering the malware to developers who may have never directly interacted with `evm-units`. The implications of this attack extend beyond individual developers, potentially compromising codebases and further downstream dependencies within the broader software supply chain.
The discovery of the `evm-units` malware highlights the persistent threats within the open-source software supply chain. Developers and organizations are urged to exercise increased vigilance when incorporating third-party libraries into their projects. Regular security audits of dependencies, utilizing dependency vulnerability scanning tools, and staying informed about emerging threats remain critical for safeguarding development environments and preventing such silent infections.