Google has officially attributed a supply chain breach of the popular Axios npm package to a cluster of financially motivated North Korean threat operations tracked as UNC1069.
“We believe this attack was the work of a suspected North Korean threat actor, which we track as UNC1069,” John Hultquist, principal analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.
“North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrencies. The full extent of this incident is still unknown, but given the popularity of the compromised packages, we expect it to have far-reaching impact.”
This development comes after threat actors pushed out two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency named “plain-crypto-js” that was used to seize control of package administrators’ npm accounts and provide a cross-platform backdoor that could infect Windows, macOS, and Linux systems.
Rather than introducing code changes to Axios, this attack leverages post-installation hooks in the malicious dependency’s “package.json” file to achieve stealth execution. Once a compromised Axios package is installed, npm automatically triggers malicious code execution in the background.
Specifically, the “plain-crypto-js” package acts as a “payload delivery vehicle” for an obfuscated JavaScript dropper called SILKBELL (“setup.js”) that retrieves the appropriate next stage from a remote server based on the victim’s operating system.
As previously detailed on The Hacker News, the Windows execution branch delivers PowerShell malware, C++ Mach-O binaries for macOS, and Python backdoors for Linux systems. The dropper also performs a cleanup to remove itself and replace the “package.json” file of the “plain-crypto-js” package with a clean version that does not have post-installation hooks.
Image source: Elastic Security Labs
The backdoor, codenamed WAVESHAPER.V2, is assessed to be an updated version of WAVESHAPER, a C++ backdoor introduced by UNC1069 in attacks targeting the cryptocurrency sector. This threat actor has been active since 2018. The link between supply chain attacks and UNC1069 was first reported by Elastic Security Labs due to functional overlap.
The three WAVESHAPER.V2 variants support four different commands and send beacons to a command and control (C2) server at 60 second intervals.
kill terminates the malware execution process. rundir enumerates a list of directories with file paths, sizes, and creation/modification timestamps. runscript: Runs an AppleScript, PowerShell, or shell command based on your operating system. peinject, decode and execute arbitrary binaries.
“WAVESHAPER.V2 is a direct evolution of WAVESHAPER, the macOS and Linux backdoor previously identified as the source of UNC1069,” Mandiant and GTIG said. “While the original WAVESHAPER uses a lightweight raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands.”
“Despite these upgrades, both versions dynamically accept C2 URLs via command-line arguments, share identical C2 polling behavior and uncommon user agent strings, and deploy secondary payloads to the same temporary directory (for example, /Library/Caches/com.apple.act.mond).”
To mitigate this threat, users can audit the dependency tree for compromised versions (downgrading to a safe version if found), pin Axios to a known safe version in the ‘package-lock.json’ file to prevent accidental upgrades, check for the presence of ‘plain-crypto-js’ in ‘node_modules’, terminate malicious processes, and block C2 domains (‘sfrclak’). We recommend that you do so.[.]com,”IP address: 142.11.206[.]73), isolate the affected system and rotate all credentials.
“The Axios attack should be understood as a template rather than a one-time event. The level of operational sophistication documented here, including compromised maintainer credentials, a pre-staged payload built for three operating systems, both release branches hitting within 40 minutes, and built-in forensic self-destruct capabilities, reflects the threat actor planning this as a scalable operation,” ReversingLabs said. Tomislav Pelicin, chief software architect at , told The Hacker News.
“If this campaign is now appearing on PyPI and NuGet, that is consistent with what the attack mechanisms are already suggesting. The goal was to maximize developer reach. Organizations should audit not just their npm dependencies, but all package managers that feed their build pipelines, and treat secrets exposed in affected environments as compromised, regardless of which registry was accessed.”
Source link
