FOCUS MODE
EXTRACT IOC
Threat Research

North Korean APT Lazarus Targets Developers with Malicious npm Package

admin
North Korean APT Lazarus Targets Developers with Malicious npm Package
Researchers have identified a malicious npm package named postcss-optimizer, linked to North Korean state-sponsored threat actors, specifically the Lazarus group. This package, which masquerades as a legitimate library, has been downloaded 477 times and contains the BeaverTail malware, functioning as both an infostealer and a loader. The malware targets developers across various operating systems, aiming to steal credentials and exfiltrate sensitive data. Affected: npm

Keypoints :

  • The malicious npm package is named postcss-optimizer.
  • It is associated with North Korean state-sponsored threat actors known as the Lazarus group.
  • The package has been downloaded 477 times.
  • It contains BeaverTail malware, which acts as both an infostealer and a loader.
  • The malware targets Windows, macOS, and Linux systems.
  • The threat actor uses social engineering tactics to persuade victims to install the malicious package.
  • Persistence is achieved through various methods, including registry modifications and script injections.
  • Malware exfiltrates sensitive data via HTTP POST requests to a command and control (C2) server.
  • The package remains live on npm despite its malicious nature.
  • Security measures such as dependency audits and automated scanning tools are recommended to mitigate risks.

MITRE Techniques :

  • T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
  • T1608.001 — Stage Capabilities: Upload Malware
  • T1204.002 — User Execution: Malicious File
  • T1059.007 — Command and Scripting Interpreter: JavaScript
  • T1059.006 — Command and Scripting Interpreter: Python
  • T1036.005 — Masquerading: Match Legitimate Name or Location
  • T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File
  • T1546.016 — Event Triggered Execution: Installer Packages
  • T1048 — Exfiltration Over Alternative Protocol
  • T1583.006 — Acquire Infrastructure: Web Services
  • T1005 — Data from Local System
  • T1082 — System Information Discovery
  • T1083 — File and Directory Discovery
  • T1217 — Browser Information Discovery
  • T1555.003 — Credentials from Password Stores: Credentials from Web Browsers
  • T1555.001 — Credentials from Password Stores: Keychain
  • T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1071.001 — Application Layer Protocol: Web Protocols
  • T1041 — Exfiltration Over C2 Channel
  • T1105 — Ingress Tool Transfer
  • T1119 — Automated Collection
  • T1657 — Financial Theft

Indicator of Compromise :

  • [domain] 91.92.120[.]132
  • [url] hxxp://91.92.120[.]132:80/client/xxx
  • [url] hxxp://91.92.120[.]132:80/pdown
  • [url] hxxp://91.92.120[.]132:80/uploads
  • [email] surprise.eng000@gmail.com

Full Research: https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package

Tags: PAYLOAD, PERSISTENCE, RECONNAISSANCE, PASSWORD, EXFILTRATION, BACKDOOR, BROWSER, COLLECTION