FOCUS MODE
EXTRACT IOC
Threat Research

Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

admin
Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
North Korean threat actors, identified as the Contagious Interview operation, have increased their infiltration into the npm ecosystem with new malicious packages and have successfully delivered BeaverTail malware. Their tactics include obfuscation techniques and remote access trojans (RAT), facilitating persistent attacks on developer systems to steal sensitive information. The threat group’s activity spans multiple platforms, emphasizing the need for robust security measures in software development. Affected: npm, GitHub, Bitbucket, developers, software supply chains

Keypoints :

  • Contagious Interview operation by North Korean threat actors targets npm ecosystem.
  • New malicious packages deliver BeaverTail malware and introduce RAT loader functionality.
  • Threat actors use hexadecimal string encoding to evade detection.
  • Multiple npm accounts created to distribute malicious code.
  • Malicious packages primarily masquerade as utilities for common programming tasks.
  • Accounts and packages suspended by npm, but threats persist.
  • Links to Lazarus Group identified through shared command and control (C2) infrastructure.
  • Malicious code aims to extract sensitive information from developer systems.
  • Maintaining a façade of legitimacy by linking to live code repositories.
  • Recommendations include automated dependency audits and contextual scanning of third-party packages.

MITRE Techniques :

  • T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
  • T1608.001 — Stage Capabilities: Upload Malware
  • T1204.002 — User Execution: Malicious File
  • T1059.007 — Command and Scripting Interpreter: JavaScript
  • T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File
  • T1546.016 — Event Triggered Execution: Installer Packages
  • T1005 — Data from Local System
  • T1082 — System Information Discovery
  • T1083 — File and Directory Discovery
  • T1217 — Browser Information Discovery
  • T1555.003 — Credentials from Password Stores: Credentials from Web Browsers
  • T1555.001 — Credentials from Password Stores: Keychain
  • T1041 — Exfiltration Over C2 Channel
  • T1105 — Ingress Tool Transfer
  • T1119 — Automated Collection
  • T1657 — Financial Theft

Indicator of Compromise :

  • [Malicious Package] empty-array-validator
  • [Malicious Package] twitterapis
  • [Malicious Package] dev-debugger-vite
  • [Malicious Package] snore-log
  • [Malicious Package] core-pino
  • [IP Address] 144.172.87[.]27
  • [IP Address] 45.61.151[.]71
  • [IP Address] 185.153.182[.]241
  • [URL] http://mocki[.]io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b
  • [Email] kevintracy516@gmail[.]com

Full Story: https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket

Tags: EMAIL, TOOL, PERSISTENCE, COLLECTION, APT, EXFILTRATION, MACOS, PAYLOAD