Threat Research

North Korea Continues Targeting Developers Through npm

Securonix

North Korean-aligned threat actors have renewed activity targeting developers via malicious npm packages, employing multi-stage obfuscated JavaScript to download components, exfiltrate data, and establish persistence. The campaign leverages trust in the npm ecosystem to reach developers and companies, with packages such as temp-etherscan-api, ethersscan-api, qq-console, helmet-validate, and sass-notification linked to the operation. #ContagiousInterview #MoonstoneSleet #qq-console #helmet-validate #ethersscan-api #temp-etherscan-api

Keypoints

  • Renewed activity from North Korean-aligned groups observed since August 12, 2024.
  • Multiple malicious npm packages published, including temp-etherscan-api and ethersscan-api (with several versions).
  • Malware behaviors include downloading additional components and exfiltrating sensitive data.
  • Notable packages include qq-console and helmet-validate, which utilize obfuscated JavaScript.
  • Attack vectors involve remote payload execution and attempts to clean up traces of malicious activity.
  • Coordinated campaign exploiting trust in the npm ecosystem to target developers and companies.

MITRE Techniques

  • [T1195] Supply Chain Compromise – ‘Use of malicious npm packages to gain access to victim systems.’
  • [T1059.007] JavaScript – ‘Execution of obfuscated JavaScript to download and execute additional malware.’
  • [T1547] Boot or Logon Autostart Execution – ‘Establishing persistence through the installation of malware components.’
  • [T1041] Exfiltration Over C2 Channel – ‘Exfiltration of sensitive data from cryptocurrency wallet browser extensions.’
  • [T1071] Application Layer Protocol – ‘Use of remote servers to download additional payloads and execute commands.’

Indicators of Compromise

  • [Domain] ipcheck.cloud – used to fetch and execute remote payloads.
  • [IP Address] 167.88.36.13, 45.61.158.14, and 95.164.17.24 – associated infrastructure referenced in the campaign.
  • [File Hash] d4f3113e1e0384bcf37c39678deb196fb5b39f15c4990134b6b8637be74e5a2e, f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa317, and 5 more hashes
  • [Package Name] ethersscan-api – versions 0.0.1, 0.0.2, 0.0.3 (tarballs listed with SHA256 below)
  • [Package Name] qq-console – version 0.0.1

Read more: https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint