August 30, 2024 at 02:42AM
Threat actors linked to North Korea are targeting developers with malware to steal cryptocurrency assets. The campaign involves publishing malicious packages to the npm registry. The attackers use various tactics, including fake job interviews and obfuscated JavaScript, to deploy malware and exfiltrate sensitive data. CrowdStrike has linked the group to insider threat operations in U.S. firms.
Key Takeaways from Meeting Notes:
– Threat actors with ties to North Korea have been targeting developers with malware to steal cryptocurrency assets.
– A recent wave of attacks involved malicious packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.
– The campaign known as ‘Contagious Interview’ aims to compromise software developers with information-stealing malware under the guise of a job interview process, using bogus npm packages or fake installers.
– The attacks deploy a Python payload named InvisibleFerret to exfiltrate sensitive data from cryptocurrency wallet browser extensions and establish persistence on the host using remote desktop software.
– The helmet-validate package uses an unconventional approach by embedding a piece of JavaScript code file called config.js to execute JavaScript hosted on a remote domain using the eval() function.
– Connections were noted between the attacks and previously uncovered npm libraries, revealing potential links between these sets of attacks.
– Another package, sass-notification, was attributed to a different North Korean threat group called Moonstone Sleet, featuring obfuscated JavaScript to write and execute batch and PowerShell scripts.
– Famous Chollima, linked to insider threat operations, poses as IT workers in U.S. firms by obtaining employment under false pretenses and infiltrating corporate environments.
– The threat actors behind these attacks have applied to or actively worked at over 100 unique companies, primarily located in the U.S., Saudi Arabia, France, the Philippines, and Ukraine, among others.
– Targeted sectors include technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceutical, social media, and media companies.
– Malicious insiders obtained employee-level access to victim networks, performed minimal tasks related to their job role, and attempted data exfiltration using various tools. They leveraged RMM tools in tandem with company network credentials, allowing numerous IP addresses to connect to the victims’ systems.