Title: North Korean Threat Actors Engage in Coordinated Malware Attacks Targeting Cryptocurrency Developers
Introduction:
In recent years, the world has witnessed a rise in cyber threats and attacks, with ne’er-do-wells constantly evolving their techniques to infiltrate systems and exploit vulnerabilities. One such threat is emanating from North Korea, where threat actors are increasingly using sophisticated methods to target cryptocurrency developers. In this article, we will delve into the recent wave of malicious packages found on the npm registry, examine the tactics employed by North Korean actors, and discuss the implications of their actions.
Coordinated Malware Attacks:
Between August 12 and 27, 2024, a series of malicious packages were discovered on the npm registry. These packages included names such as temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. The relentless nature of these attacks suggests a coordinated effort to compromise developers’ systems in order to steal valuable cryptocurrency assets.
The Connection to Contagious Interview:
Software supply chain security firm Phylum has attributed one of the packages, qq-console, to a North Korean campaign known as “Contagious Interview.” This ongoing campaign employs various techniques to trick software developers into downloading fake npm packages or installers for video conferencing software. By impersonating a job interview process, the attackers successfully infect the developer’s system with information stealing malware.
Payload Deployment:
The ultimate goal of these attacks is to deploy a payload named InvisibleFerret, coded in Python. InvisibleFerret is designed to exfiltrate sensitive data from cryptocurrency wallet browser extensions and establish persistence on the compromised host using legitimate remote desktop software such as AnyDesk. Cybersecurity company CrowdStrike has been tracking the activities of these threat actors under the codename Famous Chollima.
The Introduction of helmet-validate:
A notable addition to the recent wave of attacks is the helmet-validate package. This package employs a unique approach by embedding a JavaScript code file known as config.js. This file directly executes JavaScript code hosted on a remote domain called “ipcheck[.]cloud” using the eval() function. Intriguingly, the IP address of this domain (167[.]88[.]36[.]13) was previously associated with mirotalk[.]net, a decoy website used to distribute malware.
Moonstone Sleet: Another North Korean Threat Group:
In addition to Famous Chollima, another North Korean threat group known as Moonstone Sleet has been identified. This group is responsible for uploading packages such as sass-notification, which shares similarities with previously identified npm libraries like call-blockflow. Moonstone Sleet’s attacks involve using obfuscated JavaScript to execute batch and PowerShell scripts. These scripts download and decrypt a remote payload, execute it as a DLL, and attempt to erase all traces of malicious activity, leaving behind a seemingly benign package.
Insider Threat Operations:
In a startling discovery, CrowdStrike has linked Famous Chollima (formerly known as BadClone) to insider threat operations. These operations involve infiltrating corporate environments through malicious actors posing as legitimate employees. By obtaining fraudulent or stolen identity documents, the threat actors bypass background checks and gain employment within targeted organizations. The resumes of these malicious insiders often list previous employment at prominent companies, as well as lesser-known entities, with no visible employment gaps.
Motivation and Targeted Sectors:
While financial gain is the primary motivation behind these attacks, some incidents also involve the exfiltration of sensitive information. CrowdStrike has identified more than 100 unique companies that have been targeted over the past year. The majority of these companies are located in the United States, Saudi Arabia, France, the Philippines, and Ukraine. Various sectors have been prominently targeted, including technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceutical, social media, and media companies.
Insider Techniques and Tools:
Once the insider threat actors have gained access to victim networks, they often perform minimal tasks related to their job roles to avoid raising suspicion. Additionally, they attempt to exfiltrate data using various tools and platforms such as Git, SharePoint, and OneDrive. Notably, the insiders also install remote management and monitoring (RMM) tools like RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The usage of these tools, combined with stolen company network credentials, allows the threat actors to establish connections from numerous IP addresses to the compromised systems.
Conclusion:
The rise of cryptocurrency has attracted not only legitimate investors but also threat actors seeking to exploit vulnerabilities in this relatively new digital realm. North Korean actors, in particular, have displayed a high level of sophistication in their coordinated malware attacks against cryptocurrency developers. By infiltrating the software supply chain and leveraging insider threats, they have demonstrated their adaptability and determination in pursuing their malicious objectives. It is imperative for the technology and financial sectors, as well as governments and regulatory bodies, to remain vigilant and enhance security measures to counter such threats effectively.
Source link
