A new Lazarus campaign is spreading through NPM packages, using Beavertail malware to steal credentials, remove cryptocurrency data, and deploy a permanent backdoor.
North Korean Lazarus Group has planted six malicious packages in NPM, targeting developers and cryptocurrency users, a new study revealed by the Socket Investigation Team.
According to their findings, these malicious packages, downloaded over 300 times, are designed to steal login credentials, deploy backdoors, and extract sensitive data from Solana-related cryptocurrency wallets or exodus. The malware targets browser profiles, scans files from Chrome, Brave, and Firefox, and targets keychain data about MacOS.
Identified packages (IS Buffer Validator, Yujer Validator, Event Handle Package, Array Enplay Validator, React Event Dependencies, and auth-validator) use type skate to install them with incorrect names.
“The stolen data will be extended to a hard-coded C2 server at hxxp://172.86.84(.) 38:1224/uploads, according to the strategy of harvesting and sending compromise information from Lazarus’ well-documented strategy.”
Kirill Boychenko, Threat Intelligence Analyst at Socket Security
You might like it too: Bibit Hack “North Korea Issues” and not the crypto issue: Pro
Lazarus has previously penetrated the network using supply chain attacks via NPM, GitHub and Pypi, contributing to major hacks such as the $1.5 billion Bybit Exchange Heist. The group’s tactics are consistent with past campaigns that utilize multi-stage payloads to maintain long-term access, cybersecurity experts point out.
In late February, North Korean hackers targeted Bybit, one of the largest cryptocurrency exchanges, and stole around $1.46 billion worth of codes in a highly sophisticated robbery. The attack reportedly was caused by compromising on the computers of employees at SAFE, a technology provider for BYBit. Less than two weeks after the violation, Bybit CEO Ben Zhou said about 20% of the stolen funds have become untraceable as hackers use mixing services.
read more: Report: European watchdog Investigating OKX’s Web3 Services via Bibit Heist
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
