Malicious Laravel Packages on Packagist Deploy Cross-Platform RAT
Cybersecurity researchers have identified malicious PHP packages on Packagist, disguised as Laravel utilities, that serve as conduits for a cross-platform remote access trojan (RAT) capable of operating on Windows, macOS, and Linux systems.
The compromised packages are:
– nhattuanbl/lara-helper (37 downloads)
– nhattuanbl/simple-queue (29 downloads)
– nhattuanbl/lara-swagger (49 downloads)
According to security firm Socket, the nhattuanbl/lara-swagger package does not directly contain malicious code but lists nhattuanbl/lara-helper as a Composer dependency, leading to the installation of the RAT. These packages remain available for download from the PHP package registry.
Both lara-helper and simple-queue include a PHP file named src/helper.php, which employs various obfuscation techniques to evade static analysis. These techniques include control flow obfuscation, encoding of domain names, command names, and file paths, as well as the use of randomized identifiers for variables and function names.
Upon execution, the payload connects to a command-and-control (C2) server at helper.leuleu[.]net:2096, transmits system reconnaissance data, and awaits commands, granting the operator full remote access to the infected host. Security researcher Kush Pandya noted that the RAT communicates over TCP using PHP’s stream_socket_client() function.
The RAT supports several commands, including:
– ping: Sends a heartbeat every 60 seconds.
– info: Sends system reconnaissance data to the C2 server.
– cmd: Executes a shell command.
– powershell: Executes a PowerShell command.
– run: Executes a shell command in the background.
– screenshot: Captures the screen using imagegrabscreen().
– download: Reads a file from disk.
– upload: Writes a file to disk and grants it read, write, and execute permissions to all users.
– stop: Closes the socket and exits.
For shell execution, the RAT checks the disable_functions directive and selects the first available method from: popen, proc_open, exec, shell_exec, system, or passthru. This approach makes it resilient to common PHP hardening configurations.
Although the C2 server is currently unresponsive, the RAT is programmed to retry the connection every 15 seconds in a persistent loop, posing an ongoing security risk. Users who have installed these packages are advised to assume their systems are compromised, remove the malicious packages, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server.
In addition to the three malicious packages, the threat actor has published three other libraries—nhattuanbl/lara-media, nhattuanbl/snooze, and nhattuanbl/syslog—which are clean. This strategy likely aims to build credibility and deceive users into installing the malicious ones.
Socket emphasized that any Laravel application incorporating lara-helper or simple-queue is running a persistent RAT. The threat actor has full remote shell access, can read and write arbitrary files, and receives an ongoing system profile for each connected host. Since activation occurs at application boot (via service provider) or class autoloads (via simple-queue), the RAT operates within the same process as the web application, sharing the same filesystem permissions and environment variables, including database credentials, API keys, and .env contents.
