Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages

MITRE Techniques

• [T1195.002] Supply Chain Compromise – Compromising npm packages to deliver malware. “The Socket Threat Research Team has uncovered an extended North Korean supply chain attack that hides behind typosquatted npm packages.”
• [T1608.001] Stage Capabilities: Upload Malware – Deploying multi-stage payloads including BeaverTail and InvisibleFerret. “‘BeaverTail malware… designed for targeted data theft and persistent access.’”
• [T1204.002] User Execution: Malicious File – Victims pressured to run malicious code from fake job assignments on LinkedIn. “‘The threat actors send coding “assignments”… pressure candidates to run the code outside containerized environments while screen-sharing.’”
• [T1059.007] Command and Scripting Interpreter: JavaScript – Use of eval() to execute decoded scripts. “‘Then execute it by calling eval().’”
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – HexEval Loader uses hex-encoded strings for module names and URLs. “‘To evade static analysis, the threat actors encode module names and C2 URLs as hexadecimal strings.’”
• [T1546.016] Event Triggered Execution: Installer Packages – Malicious npm packages run during installation. “‘Each malicious package contains a hex-encoded loader we call HexEval. When the package installs… fetches and runs BeaverTail.’”
• [T1005] Data from Local System – BeaverTail searches local files for browser and wallet data. “‘BeaverTail scans local file systems for browser artifacts… cryptocurrency wallets… and macOS keychain databases.’”
• [T1082] System Information Discovery – HexEval collects host metadata such as platform, hostname, username, and MAC address. “‘HexEval Loader collects host metadata… platform: os.platform(), hostname: os.hostname().’”
• [T1083] File and Directory Discovery – BeaverTail enumerates files under approximately 200 profile directories. “‘BeaverTail scans local file systems across approximately 200 profile directories.’”
• [T1217] Browser Information Discovery – Targeting cookies, IndexedDB, extensions from browsers like Brave, Chrome, and Opera. “‘It searches for cookies, IndexedDB files, and extensions…’”
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Extracts browser credentials. “‘Targeting credentials from web browsers and their extensions.’”
• [T1555.001] Credentials from Password Stores: Keychain – Extracts macOS keychain data. “‘…macOS keychain databases.’”
• [T1056.001] Input Capture: Keylogging – jsonsecs package implements keystroke capture on multiple platforms. “‘A cross-platform keylogger package that captures every keystroke.’”
• [T1041] Exfiltration Over C2 Channel – Malware communicates with C2 servers via HTTPS POST requests to exfiltrate data. “‘Module issues an HTTPS POST request to its C2 server… evaluates returned code.’”
• [T1105] Ingress Tool Transfer – Downloading additional payloads like InvisibleFerret. “‘BeaverTail downloads additional payloads… which are extracted.’”
• [T1119] Automated Collection – Automated collection of host system data including environment variables and system info. “‘Collects environment variables, platform, hostname, username, and MAC address.’”
• [T1657] Financial Theft – Targeting cryptocurrency wallet files for theft. “‘BeaverTail also targets cryptocurrency wallets, attempting to extract files like Solana’s id.json, Exodus wallet data.’”