The North Korean threat actor behind the ongoing infectious interview campaign is spreading tentacles into the NPM ecosystem by revealing more malicious packages that provide beavertail malware and a new remote access trojan (rat) loader.
“These latest samples employ an automated detection system and hexadecimal strings that encode to avoid manual code auditing, demonstrating variation in threat actor obfuscation techniques,” socket security researcher Kirill Boychenko said in the report.
The packages for the issue that were collectively downloaded over 5,600 times of deletion are listed below –
Empty Array – ValidatorTwitterApis Dev-Debugger-Vite Snore-Log Core-Pino Events-Utils icloud-cod cln-logger node colog consolidate-log consolidate-log
This disclosure comes almost a month after the discovery of a set of 6 npm packages was discovered in Beavertail, a JavaScript Stealer where Python-based backdoors can deliver backdoors called Invisibleferret.
The ultimate goal of the campaign is to break into developer systems under the guise of a job interview process, steal sensitive data, steal siphon financial assets, and maintain long-term access to the compromised system.
The newly identified NPM library is set in a utility and a debugger, using one of them, Dev Debugger-Vite, using the Command-and-Control (C2) address used by Lazarus Group in December 2024 in the campaign codenamed Phantom Circuit.
What sets these packages apart is that some of them, such as Events, Icloud-Cod, are linked to the Bitbucket repository, as opposed to Github. Furthermore, I found out that the iCloud-Cod package is hosted within a directory named “eiwork_hire”.
Package analysis, CLN-Logger, Node-Colog, Consolidate-Log, and Consolidate-Logger also reveal minor code-level variations, indicating that attackers are exposing multiple malware variations to increase the success rate of their campaigns.
Regardless of the changes, the malicious code embedded in the four packages acts as a remote access trojan (rat) loader that can propagate the next stage payload from the remote server.
“The infectious interview threat actors have created new NPM accounts across platforms such as the NPM Registry, Github, and Bitbucket, continue to deploy malicious code, show persistence and show no signs of slowing down,” Boychenko said.
“Advanced Persistent Threat (APT) groups are diversifying their tactics. They publish new malware under fresh aliases, host payloads on both Github and Bitbucket repositories, and reuse core components such as Beavertail and Invisiblet along with newly observed rat/loader variants.”
Beavertail drops Tropidoor
This disclosure will be used to detail a recruitment-themed phishing campaign offered by South Korean cybersecurity company Ahnlab and to deploy Tropidoor, a previously undocumented Windows backdoor code name. Artifacts analyzed by the company show that Beavertail is being used to actively target Korean developers.
The email message claiming it was from a company called Autosquare contained a link to a project hosted on Bitbucket, prompting recipients to clone the project locally on their machine to confirm their understanding of the program.
This application is nothing more than an NPM library that contains Beavertail (“Tailwind.config.js”) and DLL downloader malware (“Car.dll”).
Tropidoor is a backdoor that allows you to contact your C2 server to receive instructions that allow you to exclude files, collect drive and file information, run and terminate processes, capture screenshots, and overwrite them with null or junk data so that you can delete or delete files.
An important aspect of implants is to directly implement Windows commands such as Schtasks, Ping, and Reg. This is a feature that was also observed in another Lazarus group malware called Lightlesscan.
“Users need to be careful about not only email attachments, but also executables from unknown sources,” Ahnlab said.
Source link
