Malicious PHP packages on the Packagist registry are distributing a cross-platform remote access trojan (RAT) that targets Laravel applications. The packages, including "nhattuanbl/lara-helper" and "nhattuanbl/simple-queue," use obfuscation to hide a payload that connects to a command-and-control server, providing attackers with full remote shell access, file manipulation, and system reconnaissance. The RAT is persistent and runs with the web application's permissions, exposing sensitive data like credentials. Users are advised to remove the packages, rotate all secrets, and audit network traffic.
Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that's functional on Windows, macOS, and Linux systems.
The names of the packages are listed below -
- nhattuanbl/lara-helper (37 Downloads)
- nhattuanbl/simple-queue (29 Downloads)
- nhattuanbl/lara-swagger (49 Downloads)
According to Socket, the package "nhattuanbl/lara-swagger" does not directly embed malicious code, lists "nhattuanbl/lara-helper" as a Composer dependency, causing it to install the RAT. The packages are still available for download from the PHP package registry.
Both lara-helper and simple-queue have been found to contain a PHP file named "src/helper.php," which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names.
"Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands -- giving the operator full remote access to the host," security researcher Kush Pandya said.
This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. The communication occurs over TCP using PHP's stream_socket_client(). The list of supported commands is below -
- ping, to send a heartbeat automatically every 60 seconds
- info, to send system reconnaissance data to the C2 server
- cmd, to run a shell command
- powershell, to run a PowerShell command
- run, to run a shell command in the background
- screenshot, to capture the screen using imagegrabscreen()
- download, to read a file from disk
- upload, to a file on disk and grant it read, write, and execute permissions to all users
- stop, to the socket, and exit
"For shell execution, the RAT probes disable_functions and picks the first available method from: popen, proc_open, exec, shell_exec, system, passthru," Pandya said. 'This makes it resilient to common PHP hardening configurations."
While the C2 server is currently non-responsive, the RAT is configured such that it retries the connection every 15 seconds in a persistent loop, making it a security risk. Users who have installed the packages are advised to assume compromise, remove them, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server.
Besides the aforementioned three packages, the threat actor behind the operation has published three other libraries ("nhattuanbl/lara-media," "nhattuanbl/snooze," and "nhattuanbl/syslog") that are clean, likely in an effort to build credibility and trick users into installing the malicious ones.
"Any Laravel application that installed lara-helper or simple-queue is running a persistent RAT. The threat actor has full remote shell access, can read and write arbitrary files, and receives an ongoing system profile for each connected host," Socket said.
"Because activation happens at application boot (via service provider) or class autoloads (via simple-queue), the RAT runs in the same process as the web application with the same filesystem permissions and environment variables, including database credentials, API keys, and .env contents."
Meridiano
