Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

North Korea Still Attacking Developers via npm

Sept. 30, 2024, 10:18 a.m.

Description

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloads additional components, including Python scripts and interpreters, to exfiltrate sensitive data from cryptocurrency wallets and establish persistence. Some packages use different approaches, such as directly evaluating JavaScript from remote endpoints or executing batch and PowerShell scripts to deploy and conceal malware. This coordinated effort exploits the trust in the npm ecosystem to compromise developers, infiltrate companies, and steal cryptocurrency or other valuable assets.

Date

Published: Sept. 30, 2024, 10:02 a.m.

Created: Sept. 30, 2024, 10:02 a.m.

Modified: Sept. 30, 2024, 10:18 a.m.

Indicators

f7c142178605102ee56f7e486ba68b97f3f6b522994b24f4116dbbd2abc28cec

f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa317

d4f3113e1e0384bcf37c39678deb196fb5b39f15c4990134b6b8637be74e5a2e

aec21b53ee4ae0b55f5018fc5aaa5a4f095a239a64272ca42047c40ec3c212c0

94da263d603bf735ab85f829b564261e59a1d13915d21babe58e72435bfe32ab

5e5313aaf281c8a8eed29ba2c1aaa5aa65bc174bcd0be466f4533712599db758

2a00838ccd08b26c7948d1dd25c33a114dd81c3bcee3de595783e6f396e7f50e

0110318f70072171c0edc624c8e8be38892f984b121d6a5a5ced1f6b0b45dbd0

95.164.17.24

167.88.36.13

mirotalk.net

ipcheck.cloud

Attack Patterns

Contagious Interview

Moonstone Sleet

North Korea

T1059.003

T1059.001

T1571

T1059.007

T1555

T1070

T1547

T1105

T1102

T1140

T1027

Additional Informations

Technology