North Korean subjects threatening behind the current Increased interview The company distributes its NPM ecosystem tentacles, publishing more malicious packages that deliver the Beavertail malicious software, as well as the new Trojan loader (rat).
“These recent samples use hexadecimal lines that shy away from automated manual code detection systems, signaling variations in the threat -threatening actors – Note In the report.
The packages in question, which were combined more than 5 600 times before their deletion, are given below – below –
- A blank-lydator
- Twitterappis
- Dev-DEBGGER-VITE
- Snore-Log
- Core -no
- Events-use
- iCloud-Cod
- Cln-Logger
- knot-class
- Consolata-Log
- Consolata-Logger
The disclosure of information occurs almost a month after Set of Six Packages NPM were revealed to spread BEAVERTAILa JavaScript theft It is also capable of delivering the back of Python based on the name Invisibibleferret.
The ultimate goal of the company is to penetrate the developer systems under the guise of the interview process, the abduction of sensitive data, the financial assets of the Siphon, and to maintain long -term access to impaired systems.
Recently identified NPM Masquerade Libraries as utilities and debugs, with one of their-Dev-Debugger-Vite-V use of the team and control (C2), which was previously labeled Securityscorecard, used by the Lazarus group called Phantom scheme In December 2024.
What these packages stand out is some of them, such as events and iCloud-COD related to Bitbucket repository, unlike GitHub. In addition, a package of iCloud-COD was posted in the catalog called “eiwork_hire“Re -use the topic related to interviews to activate the infection.
Analysis of packages, Cln-Logger, Node-Clhog, Consolata-Log and Consolata-Logger also discovered minor code levels, indicating that attackers publish several malware options in trying to increase the company’s success.
Regardless of the changes, the malicious code, built into four packages, functions as a Trojan loader (rat), which is able to spread the useful load at the next stage from the remote server.
“Seaklid interview threatens continue to create new NPM accounts and deploy the malicious code on platforms such as the NPM, GitHub and Bitbucket registry, demonstrating their persistence and not showing signs of slowing,” said Boychenko.
“The Advanced Sustainable Threat Group (APT) diversifies its tactics – the publication of new malware under fresh pseudonyms, conducting useful loads both in GitHub and in Bitbucket repositories, and also uses the main components such as Beavertail and Invisibibibble. Rats/loader. “
BEAVERTAIL FALLS TROPIDOOR
The disclosure of information occurs when the South Korean cybersecurity company Ahnlab talked in detail about a phishing company with a set that provides Beavertail, which then used to deploy previously unregistered rear Windows Tropidoor. The artifacts analyzed by the firm, the show that Beavertail is used to actively target developers in South Korea.
A Message by emailWhich is allegedly in the company called Autosquare, contained a link to the project located on Bitbucket, urging the recipient to clone the project at their car to consider their understanding of the program.
The app is nothing but a NPM library containing Beavertail (“Tailwind.config.js”) and malicious dll (“Car.dll”) software, the latter of which is launched by theft and loading JavaScript.
Tropidoor is the back “that works in memory through the bootloader” that is able to contact the C2 server to obtain the instructions that allow you to select the files, collect disk information and file, start and stop processes, take screenshots, and delete or deduce files by rewriting them zero or outlined.
An important aspect of the implant is that it directly implements Windows commands such as Schtasks, Ping and Reg, a function that previously observed in another malicious Lazarus program, called Lightlesscansuccessor itself Blind (Airildry was Zetanier).
“Users need to be careful not only with email investments, but also with executable files from unknown sources,” Ahnlab – Note.