North Korean state-sponsored threat actors were observed pushing malicious packages into the npm registry, in an attempt to infiltrate endpoints belonging to software developers.
This time around, they were spotted by cybersecurity researchers from Phylum, who argue the end goal of the campaign is to steal people’s cryptocurrencies.
According to the researchers, the attack started on August 12 this year. Multiple malicious npm packages were uploaded, including temp-etherscan-api, and two versions of ethersscan-api. More than a week later, the crooks uploaded telegram-con, and another version of ethersscan-api, and some time later, qq-console. Chances are, there are even more packages out there.
InvisibleFerret and Lazarus
All these npm packages are just a cog in a wider wheel of a malicious campaign the researchers dubbed “Contagious Interview”. The crooks would ‘impersonate’ a major software development company (be it in web2 or web3), and pretend to offer a great new job opportunity to the victims. Sometimes, they would reach out via LinkedIn, and sometimes, via instant messaging platforms such as Telegram.
The victims, usually software developers already working on blockchain-based solutions, would be offered a great job with a significant salary increase, and would be invited for a series of interviews. In one of those interviews, they would either be asked to download and open a .PDF file or, in this case, an npm package.
These packages deploy a piece of Python malware called InvisibleFerret, capable of exfiltrating sensitive data from cryptocurrency wallet browser extensions.
Although the researchers never mention them by name, this is a method usually deployed by the North Korean state-sponsored group known as Lazarus.
Lazarus is one of the largest, most disruptive hacking collectives to come out of North Korea. It’s been attributed with some of the largest cryptocurrency heists in history, including the theft of more than $600 million. Allegedly, the country is using the money to fund its state apparatus, as well as its weapons program.
Via The Hacker News
