North Korean Threat Actors Target Developers with Malicious npm Packages

A recent surge in malicious npm packages has been linked to North Korean threat actors, highlighting a coordinated effort to target software developers and steal cryptocurrency assets. Security firms Phylum and CrowdStrike have identified these activities, attributing them to North Korean cyber campaigns known as "Contagious Interview" and "Famous Chollima."

Malicious npm Packages

Between August 12 and 27, 2024, a new wave of malicious npm packages was detected, including:

• temp-etherscan-api
• ethersscan-api
• telegram-con
• helmet-validate
• qq-console

The qq-console package, in particular, is believed to be linked to the Contagious Interview campaign, which targets software developers under the guise of job interviews. These interviews lure developers into downloading fake npm packages or installers for video conferencing software, like MiroTalk, hosted on decoy websites.

Attack Techniques and Goals

The primary aim of these attacks is to deploy a Python payload called InvisibleFerret, capable of exfiltrating sensitive data from cryptocurrency wallet browser extensions. To maintain persistence on the victim’s host, the attackers use legitimate remote desktop software such as AnyDesk.

One of the newly identified malicious packages, helmet-validate, embeds a JavaScript file named config.js that executes remote JavaScript hosted on "ipcheck[.]cloud" using the eval() function. This domain resolves to the same IP address previously used by mirotalk[.]net, suggesting a connection between the two attack vectors.

Additionally, the sass-notification package, uploaded on August 27, 2024, shares characteristics with other previously discovered malicious npm packages like call-blockflow. These packages are linked to another North Korean group, Moonstone Sleet, known for using obfuscated JavaScript to deploy and execute malicious scripts.

Insider Threats and Famous Chollima

Famous Chollima, formerly known as BadClone, employs tactics beyond malicious npm packages. CrowdStrike reports that this group is involved in insider threat operations by posing as IT workers in legitimate employment settings. The group has successfully infiltrated over 100 companies worldwide, including those in the U.S., Saudi Arabia, France, the Philippines, and Ukraine.

Key tactics include:

1. Using Fake Identity Documents: Threat actors use falsified or stolen identity documents to bypass background checks and gain employment.

2. Minimal Job Tasks: Once inside, these insiders perform minimal tasks related to their official roles to avoid suspicion.

3. Data Exfiltration: They attempt to exfiltrate sensitive data using tools like Git, SharePoint, and OneDrive.

4. Remote Access Tools: The insiders install remote monitoring and management (RMM) tools, including RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. These tools, combined with company network credentials, allow multiple IP addresses to connect to the victim’s systems.

Targeted Sectors

The sectors prominently targeted by these North Korean threat actors include:

• Technology
• Fintech and Financial Services
• Professional Services
• Retail
• Transportation
• Manufacturing
• Insurance
• Pharmaceutical
• Social Media and Media Companies

Recommendations

To protect against these sophisticated threats, organizations and developers should take the following steps:

1. Scrutinize npm Packages: Carefully review and vet npm packages before installation. Use tools to verify the authenticity of packages and detect malicious code.
2. Implement Strong Security Practices: Enforce multi-factor authentication (MFA) and monitor user account activities to detect unauthorized access.
3. Educate Employees: Train employees to recognize phishing attempts and suspicious job offers, particularly those that require downloading software from untrusted sources.
4. Use Advanced Threat Detection Tools: Deploy advanced threat detection and response tools that can identify and mitigate insider threats and malicious activities.
5. Regularly Update Software: Ensure all software, especially those related to remote desktop access and package management, is regularly updated to the latest versions with security patches.

The increasing sophistication of North Korean cyber campaigns poses a significant threat to developers and organizations globally. By leveraging malicious npm packages, insider threats, and remote access tools, these threat actors can steal sensitive data and cryptocurrency assets. Vigilance and proactive security measures are crucial to defending against these persistent threats.