North Korea Still Attacking Developers via npm
Sept. 30, 2024, 10:18 a.m.
Tags
External References
Description
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloads additional components, including Python scripts and interpreters, to exfiltrate sensitive data from cryptocurrency wallets and establish persistence. Some packages use different approaches, such as directly evaluating JavaScript from remote endpoints or executing batch and PowerShell scripts to deploy and conceal malware. This coordinated effort exploits the trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or other valuable assets.
Date
Published: Sept. 30, 2024, 10:02 a.m.
Created: Sept. 30, 2024, 10:02 a.m.
Modified: Sept. 30, 2024, 10:18 a.m.
Indicators
f7c142178605102ee56f7e486ba68b97f3f6b522994b24f4116dbbd2abc28cec
f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa317
d4f3113e1e0384bcf37c39678deb196fb5b39f15c4990134b6b8637be74e5a2e
aec21b53ee4ae0b55f5018fc5aaa5a4f095a239a64272ca42047c40ec3c212c0
94da263d603bf735ab85f829b564261e59a1d13915d21babe58e72435bfe32ab
5e5313aaf281c8a8eed29ba2c1aaa5aa65bc174bcd0be466f4533712599db758
2a00838ccd08b26c7948d1dd25c33a114dd81c3bcee3de595783e6f396e7f50e
0110318f70072171c0edc624c8e8be38892f984b121d6a5a5ced1f6b0b45dbd0
95.164.17.24
167.88.36.13
mirotalk.net
ipcheck.cloud
Attack Patterns
Contagious Interview
Moonstone Sleet
North Korea
T1059.003
T1059.001
T1571
T1059.007
T1555
T1070
T1547
T1105
T1102
T1140
T1027
Additional Informations
Technology