The Lazarus Group, a North Korean cyber threat actor, has been linked to a previously undocumented JavaScript implant known as Marstech1. The implant has been used in targeted attacks against developers, with its primary aim being the collection of system information. The malware, which was distributed through an open-source GitHub repository, has affected at least 233 victims worldwide, primarily across the U.S., Europe, and Asia. The implant is sophisticated, capable of altering browser extension settings for popular cryptocurrency wallets such as MetaMask, Exodus, and Atomic on various operating systems, including Windows, Linux, and macOS. Additionally, the malware can download further payloads from the attacker’s command-and-control (C2) server, making it a serious supply chain risk.
The attack, dubbed “Marstech Mayhem” by SecurityScorecard, utilized a GitHub profile named “SuccessFriend,” which has since been taken down.
The profile appeared to target web development and blockchain learning, aligning with the Lazarus Group’s known interests. The implant was found to have different versions, one embedded in NPM packages used in cryptocurrency projects and another served directly from the C2 server, indicating active development. This shows that the attackers are adapting their techniques to evade detection while maintaining a steady stream of infection vectors.
Marstech1 employs advanced obfuscation techniques to bypass both static and dynamic analysis, including control flow flattening, dynamic variable renaming, and multi-stage XOR decryption in JavaScript and Python. These methods make it significantly harder for traditional security tools to identify and block the malware. The malware’s primary function is to target cryptocurrency wallet extensions, particularly for wallets such as MetaMask, Exodus, and Atomic. The collected data is exfiltrated to a C2 server, where it can be exploited for further malicious activities.
In addition to the Marstech1 campaign, Lazarus Group is also linked to the broader “Contagious Interview” campaign. This scheme involves fraudulent employment offers to organizations in the cryptocurrency sector, posing significant risks not only to the targeted firms but also to their legal standing. Hiring North Korean IT workers unknowingly can result in violations of international sanctions, with serious legal and financial consequences. These workers are believed to act as insider threats, stealing proprietary information or introducing backdoors to facilitate larger cyber espionage operations.
