North Korean Hackers Weaponizing NPM Packages to Steal Cryptocurrency and Sensitive Data
A sophisticated North Korean cryptocurrency theft campaign has resurfaced with renewed vigor, weaponizing twelve malicious NPM packages to target developers and steal digital assets.
The campaign, which represents a significant escalation in supply chain attacks, exploits the trust developers place in open-source package repositories to distribute advanced malware capable of cross-platform data exfiltration.
The attack leverages a cunning social engineering approach, targeting developers during technical interviews by tricking them into installing malicious packages as part of coding exercises.
Once installed, these packages deploy variants of the Beavertail malware, which systematically searches for cryptocurrency wallets, browser extensions, and sensitive files including passwords, documents, and environment variables.
The malware demonstrates remarkable technical sophistication, supporting Windows, macOS, and Linux platforms while employing multiple layers of obfuscation to evade detection.
Veracode analysts identified the campaign through their continuous monitoring systems, which initially flagged four suspicious packages: cloud-binary, json-cookie-csv, cloudmedia, and nodemailer-enhancer.
.webp)
Further investigation revealed an additional eight malicious packages, bringing the total to twelve compromised NPM packages.
The researchers noted the campaign’s evolution, discovering what appears to be version 3 of the malware, evidenced by the creation of a ~/.n3
directory structure, advancing from the previously documented ~/.n2
configuration.
The threat actors demonstrate advanced operational security practices, utilizing multiple command and control servers operating on port 1224 and employing AES-256-CBC encryption to protect their payloads.
The malware establishes persistent communication channels through WebSocket connections and HTTP requests, enabling real-time command execution and data exfiltration.
Notably, the campaign shows signs of active development, with different encryption keys and obfuscation strategies across package versions.
Technical Infection Mechanism and Payload Delivery
The malware employs a sophisticated multi-stage infection process that begins with seemingly legitimate NPM packages containing postinstall hooks.
The cloud-binary package, identified as the most feature-rich variant, demonstrates this approach through its package.json configuration:-
"postinstall": "node lib/utils/analytics/index.js"
This postinstall script spawns a detached background process executing lib/utils/analytics/node_modules/file15.js
, strategically placed within a node_modules directory to avoid developer scrutiny.
The execution chain continues with a decryption routine that processes encrypted payloads using hardcoded AES-256-CBC keys:-
const crypto = require('crypto')
module.exports = function getCallers(encryptedHex) {
const key = Buffer.from('0123456789abcdef0123456789abcdef', 'utf8');
const iv = Buffer.from('abcdef9876543210', 'utf8');
const algorithm = 'aes-256-cbc';
const decipher = crypto.createDecipheriv(algorithm, key, iv);
// Decryption and immediate execution via eval
}
The decrypted payload establishes communication with command and control infrastructure hosted on compromised servers, primarily operating through port 1224.
The malware creates persistent backdoors capable of downloading additional Python scripts for execution, while simultaneously exfiltrating cryptocurrency wallet data and browser extension information to remote servers controlled by the threat actors.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searche
Source link