North Korean hackers have launched a new campaign targeting software developers by publishing a series of malicious npm packages to the registry between August 12 and 27, 2024. The packages, including temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console, are part of a coordinated effort to distribute malware and steal cryptocurrency assets. Security firm Phylum has linked the qq-console package to the “Contagious Interview” campaign, which tricks developers into downloading fake job interview tools that secretly install malware.
The Contagious Interview campaign is designed to deploy a Python-based malware known as InvisibleFerret, which exfiltrates sensitive data from cryptocurrency wallet browser extensions and establishes persistence on the infected host. This is achieved using legitimate remote desktop software like AnyDesk. CrowdStrike, a prominent cybersecurity firm, tracks this activity under the moniker Famous Chollima. The attackers leverage these techniques to infiltrate the systems of unsuspecting developers, enabling them to steal valuable data and assets.
A notable aspect of this campaign is the use of a new approach in the helmet-validate package, which embeds a JavaScript file named config.js that executes code hosted on a remote domain. This domain has been linked to previous attacks, further connecting the current activity to past campaigns. Additionally, another package, sass-notification, was uploaded on August 27, 2024, and shares characteristics with other malicious npm libraries attributed to another North Korean group, Moonstone Sleet. These packages often use obfuscated JavaScript to execute scripts that download, decrypt, and execute remote payloads, leaving behind minimal traces of malicious activity.
Famous Chollima has also been linked to insider threat operations, where attackers infiltrate corporate environments by posing as legitimate IT workers. Using falsified or stolen identity documents, these insiders gain employment at target companies and perform minimal tasks while exfiltrating data using tools like Git, SharePoint, and OneDrive. They also utilize remote management tools to maintain access to victim networks. CrowdStrike’s investigation revealed that Famous Chollima has targeted over 100 companies across various sectors, including technology, fintech, and retail, in countries such as the U.S., Saudi Arabia, and France. While financially motivated, some attacks have involved the exfiltration of sensitive corporate information.
Reference:
