Chollima APT Group Targets Job Seekers and Organizations with JavaScript-Based Malware

The North Korean-linked Chollima advanced persistent threat (APT) group, also known as Famous Chollima, has been orchestrating a persistent cyber espionage campaign since at least December 2022, primarily targeting job seekers in the software development and IT sectors to infiltrate a wide array of United States-based organizations.

This operation leverages intricate social engineering techniques, where attackers pose as recruiters or job applicants using fabricated identities to lure victims into seemingly legitimate online interviews conducted via video conferencing or collaboration platforms.

Sophisticated Social Engineering

By exploiting the vulnerabilities inherent in job hunting, such as desperation for employment or the pursuit of freelance opportunities, the threat actors convince participants to download and install malicious Node Package Manager (NPM) packages hosted on GitHub.

These packages are presented as benign software for review or technical assessment during the interview, but they embed obfuscated JavaScript payloads designed to deploy cross-platform backdoor malware, including the Python-based InvisibleFerret, capable of running on Windows, Linux, and macOS.

This approach not only capitalizes on the trust developers place in GitHub as a daily tool but also exploits the common practice of screen-sharing and code testing in technical interviews, making the infection process appear routine and non-suspicious.

In some instances, attackers target recently laid-off individuals who may retain access to former employers’ systems or sensitive data, providing an indirect pathway to organizational networks without direct assaults on fortified corporate defenses.

Command-and-Control Mechanisms

The attack chain progresses through GitHub abuse as a supply-chain vector, where attackers upload repositories containing malicious NPM packages that execute upon cloning and running by the victim.

According to the report, these packages include obfuscated JavaScript code that installs dependencies and deploys the InvisibleFerret backdoor, which establishes a reverse TCP connection to a command-and-control (C2) server using XOR encryption for secure communication.

The backdoor’s capabilities encompass remote command execution, credential theft from browsers, and data exfiltration, all facilitated by JSON-formatted instructions from the C2 server that incorporate the same XOR key for decryption.

Notably, the reliance on Python for the backdoor is strategic, as targeted software engineers typically have Python environments pre-installed, allowing seamless execution without raising alarms unlike native Windows tools like PowerShell that might trigger security detections.

Attackers create these NPM packages using standard commands to initialize directories and embed payloads in files like payload.js, initially testing with benign commands such as ‘whoami’ before replacing them with malicious code obfuscated via tools like BEAR-C2 to evade detection.

Mistakes in operational security, such as failing to disable repository comments, have occasionally exposed these repositories when researchers left warnings, underscoring the campaign’s human errors despite its technical sophistication.

Once deployed, the malware opens deceptive URLs mimicking legitimate login pages to harvest credentials, combining phishing elements with the reverse shell for persistent access.

This multi-stage tactic highlights Chollima’s adaptation to developer workflows, blending social manipulation with technical exploitation to achieve espionage goals against US entities, emphasizing the need for heightened vigilance in job-related interactions and code reviews.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!