North Korean Hackers Exploit NPM Packages to Steal cryptocurrency and Sensitive Data

Veracode Threat Research has uncovered a sophisticated North Korean cryptocurrency theft operation that continues to evolve, building on campaigns previously reported in February and June 2024.

This latest iteration involves twelve malicious NPM packages, including cloud-binary, json-cookie-csv, cloudmedia, and nodemailer-enhancer, which were flagged by automated monitoring systems and subsequently removed from the NPM registry.

The attackers, suspected to be state-sponsored actors aiming to fund sanctioned activities, impersonate recruiters offering fake developer jobs.

During simulated interviews, victims are tricked into installing these packages as part of coding exercises, such as running unit tests that execute hidden malware.

This tactic exploits trust in the hiring process to deploy payloads that exfiltrate cryptocurrency wallet data, browser extension credentials, and other sensitive files from developers’ machines, potentially enabling corporate network breaches.

Targets Developers Through Fake Job Interviews

The malware, identified as variants of the Beavertail family, employs advanced obfuscation and encryption techniques, with payloads often hidden in innocuous files like licenses or analytics scripts.

For instance, in cloud-binary (a typosquat of the legitimate cloudinary package), a postinstall hook triggers a detached process that decrypts an AES-256 encrypted payload using a fixed key and IV, revealing obfuscated JavaScript.

This code supports cross-platform operations on Windows, macOS, and Linux, enumerating system details like OS type, username, and platform before searching for crypto-related browser extensions (e.g., MetaMask, Phantom) by their IDs.

It collects and exfiltrates files such as .log and .ldb databases containing private keys and seed phrases, alongside documents, PDFs, screenshots, and macOS Keychain data.

Additional features include downloading second-stage payloads via curl from command-and-control (C2) servers, executing arbitrary Python scripts fetched from endpoints like http://144.172.105.235:1224/client/5346/324, and establishing WebSocket connections for remote shell command execution.

Shared Infrastructure Reveal Attacker Links

Investigations revealed code similarities across packages, such as the creation of a ~/.n3 directory, suggesting this is version 3 of the malware.

Encryption keys and C2 infrastructure, including ports like 1224, are reused, linking these to prior attacks.

Variants differ in complexity: some, like nodemailer-enhancer, hide payloads in hex-encoded license files decrypted with high-entropy keys, while others like json-cookie-csv incorporate backup C2 servers and axios requests to fetch additional obfuscated JavaScript from endpoints like https://api.npoint.io/e5a5e32cdf9bfe7d2386, which includes campaign flags.

Intriguingly, some payloads contain taunting messages, hinting at possible involvement of multiple actors or internal rivalries. Veracode’s Package Firewall blocked most packages preemptively, and notifications to NPM ensured their removal.

This campaign underscores the risks in open-source ecosystems, where attackers leverage supply-chain vulnerabilities to target high-value assets like crypto holdings and corporate secrets.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!