The North Korean threat actor known as the Lazarus Group was named a previously undocumented JavaScript implant as part of a limited targeted attack on the developer.
The active operation is called Marstech Mayhem by SecurityScorecard and malware is delivered by an open source repository hosted on GitHub, which is associated with a profile named “Successfriend.” Active profiles are no longer accessible on the code hosting platform since July 2024.
Implants are designed to collect system information and are embedded in websites and NPM packages, pose supply chain risks. The first appearance of malware in late December 2024 shows evidence. The attack has accumulated 233 confirmed victims across the US, Europe and Asia.
“The profile mentioned web development skills and learning blockchain that are aligned to Lazarus’ interests,” SecurityScorecard said. “The threat actors were pre-confused by various GitHub repositories and committed both obfuscated payloads.”
With an interesting twist, it is known that the implants present in the GitHub repository are different from the versions provided directly from the 74.119.194 command and control (C2) server.[.]129:3000/j/marstech1. It indicates that it may be under active development.
Its main responsibility is to search across Chromium-based browser directories for various operating systems and modify the extended-related settings, particularly related to Metamask cryptocurrency wallets. You can also download additional payloads from the same server on port 3001.
Other wallets targeted by malware include Exodus and Atoms above the window, Linux, and macO. Captured data will be extended to C2 endpoint “74.119.194[.]129:3000/Uploaded. ”
“Introduction of MarStech1 implants with layered obfuscation techniques – from flattening control flow to renaming dynamic variables in JavaScript to multi-stage XOR decoding in Python – provides both static and dynamic analysis. It highlights the sophisticated approach of threat actors to avoid it.”
This disclosure is part of the October-November 2024 contagious interview campaign, with at least three organizations in the broader cryptocurrency space, market establishment companies, online casinos and software development companies. It was revealed that he was targeted as a
The cybersecurity company tracks the cluster under the name Purplebravo, saying that North Korean IT workers behind the fraudulent employment scheme are behind the threat of cyber espionage. It is also tracked under the name CL-STA-0240, the famous Chorima and tenacious Punsan.
“Organisations that unconsciously hire No-Con South Korean IT workers are violating international sanctions and may be exposed to legal and financial impacts,” the company said. “More importantly, these workers will almost certainly act as insider threats, stealing their own information, promoting backdoor introductions, or greater cyber operations.”
Source link
