Threat Research

Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access | Datadog Security Labs

Cyware

Two malicious npm packages, harthat-hash and harthat-api, were published on July 7, 2024, delivering a DLL via a command-and-control server and aligning with the DPRK-aligned MOONSTONE SLEET cluster (internally named Stressed Pungsan). The activity highlights software supply-chain abuse in npm to install Windows-targeted payloads and evade detection, with rapid removal from the registry suggesting a tactic to avoid blocks. #MOONSTONE_SLEET #StressedPungsan

Keypoints

  • On July 7, 2024, npm user nagasiren978 published two malicious packages to the npm registry.
  • These packages, “harthat-hash” and “harthat-api”, contain code that installs additional malicious software from a command and control (C2) server.
  • This C2 server mostly served malicious batch scripts and one DLL, indicating a Windows-targeted victim set.
  • The tactics, techniques, and procedures behind the packages, C2 infrastructure, and targeting align with MOONSTONE SLEET, a DPRK-aligned actor cluster; internally named “Stressed Pungsan.”
  • The author removed both packages within hours of publishing, a possible tactic to avoid registry blocking.
  • Static and dynamic analyses revealed a DLL loaded via rundll32, with anti-analysis indicators but limited evidence of weaponization in runtime.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Malicious npm packages distributed through the registry to deliver malware, aligning with MOONSTONE SLEET. “Malicious packages leverage pre-install scripts to execute harmful commands and download additional payloads.”
  • [T1105] Ingress Tool Transfer – The C2 server delivered batch scripts and a DLL payload during deployment. “This C2 server mostly served malicious batch scripts and one DLL.”
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The pre-install script runs a .js file as part of execution. “the pre-install script in the package.json to execute a .js file and delete it.”
  • [T1218.011] System Binary Proxy Execution: Rundll32 – The DLL is loaded and executed via Rundll32. “Next, the threat actor makes use of the run32dll.exe executable to load this DLL and execute its code. This technique is known as ‘System Binary Proxy Execution: Rundll32’.”
  • [T1036] Masquerading – The package name resembles legitimate software and reuses code from a legitimate project. “The malicious package reuses code from a well-known GitHub repository called node-config” and “the name resembles the Hardhat npm package.”
  • [T1070.004] File Deletion – The dropper deletes files after use to clean traces. “and delete it” and related cleanup steps (del commands).

Indicators of Compromise

  • [IP Addresses] 142.111.77[.]196 – Download of malicious payload
  • [Filename] Temp.b (also known as package.db) – d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277, First Seen 2024-07-03 05:57:16 UTC
  • [NPM Authors] nagasiren978
  • [Packages] harthat-hash, harthat-api

Read more: https://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint