Threat Research

North Korea’s Post-Infection Python Payloads

Securonix

North Korean threat actors are expanding their post-infection toolkit by adopting Python-based payloads delivered through NPM packages, moving beyond DLLs. The article details a multi-stage Python workflow (main_[campaign ID].py, brow_[campaign ID].py, pay_[campaign ID].py, any_[campaign ID].py) and a Frontend.zip package used to deploy malware and exfiltrate browser data. Hashtags: #NorthKoreanThreatActor #Frontend.zip

Keypoints

  • The North Korean threat actor group has been using malicious Node packages (NPM) to deploy malware to developers and other victims, with recent detail on post-infection payloads beyond DLLs.
  • The campaign appears to rely on a Python-based, multi-stage workflow, possibly to gain speed and make tools look legitimate, alongside or in parallel with DLL delivery.
  • Malicious files analyzed include Frontend.zip and several Python scripts such as main_[campaign ID].py, brow_[campaign ID].py, pay_[campaign ID].py, and any_[campaign ID].py.
  • Main.py is obfuscated and downloads the next-stage payloads, functioning as the initial backdoor and as a launcher for additional components.
  • Brow.py contains a ChromeBase class that can extract data from multiple browsers (Login.db, webdata.db), forming a browser data theft capability.
  • Pay.py performs triage (OS, hostname, username, geolocation) and then executes backdoor actions via a second C2, including uploading files, keylogging, and downloading AnyDesk for unattended access.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – “download_payload() – downloads a script that serves as the malware’s main backdoor” and “download_browse() – downloads an additional browser data stealing component.”
  • [T1027] Obfuscated/Compressed Files and Information – “The main file is hosted on the threat actor’s server… This is an obfuscated Python script.”
  • [T1082] System Information Discovery – “Collects the operating system, version, hostname, and username.”
  • [T1555.003] Credentials in Web Browsers – “extracts information from the Login.db file and credit card information from the webdata.db file.”
  • [T1059] Command and Scripting Interpreter – “ssh_cmd – close the session; ssh_obj – execute command-line commands.”
  • [T1041] Exfiltration Over C2 Channel – “The collected information is sent directly to the C2, in this file’s case using an endpoint named ‘keys’.”
  • [T1219] Remote Access Software – “AnyDesk … an unattended client,” including “credentials” to bypass prompts.
  • [T1056] Input Capture – “The keylogger is constructed using PyHook and continuously runs… the keystrokes are sent directly as a buffer to the threat actor.”

Indicators of Compromise

  • [File Hash] 8b2f2fad1d1f1e6ad915ea2224dd9f8544edf4aaf910ab9b3a3112cc5806f16d, 72400a957654371be9363fdd2753ffea8f240a8b3e6e03edc116f8da96fa3ce4 – Frontend.zip and brow_[campaign ID].py (observed in VirusTotal)
  • [File Name] Frontend.zip, main_[campaign ID].py – malicious package and one of the main Python scripts
  • [Domain] ip-api.com – geolocation service used during the triage stage
  • [Directory] .n2 – directory created in the root of the user folder for payloads
  • [File Name] Login.db, webdata.db – browser credential and data databases targeted by the browser stealer

Read more: https://norfolkinfosec.com/north-koreas-post-infection-python-payloads/