New North Korean Actor Distributing Malicious npm Packages To Compromise Organizations

Early in 2024, North Korean threat actors persisted in using the public npm registry to disseminate malicious packages that were similar to those that Jade Sleet had previously used.  Initially thought to be an extension of Sleet’s activity, further investigation revealed a new threat actor targeting the open-source ecosystem through the npm registry, highlighting the ongoing risk posed by North Korean actors despite heightened awareness within the security community.  Timeline A new North Korean threat actor, Moonstone Sleet, leverages the open-source software supply chain vulnerability by distributing malware through malicious packages on the public npm registry. This tactic, which is comparable to that of other North Korean actors like Jade Sleet, exposes developers to potential compromise and emphasizes the ongoing threat that state-sponsored actors pose to the integrity of the open-source ecosystem.  Microsoft has identified a new North Korean threat actor, Moonstone Sleet, that uses various tactics (TTPs) for financial gain and espionage, which overlap with other North Korean actors but also include unique methods.  Malicious Payload Execution Similar to techniques reported by Phylum, Moonstone Sleet distributes malicious npm packages through both targeted freelancing platforms and the public npm registry, which expands their reach and increases the chance of unsuspecting developers installing their malware.   An analysis of malicious npm packages by Checkmarx reveals distinct code styles between those linked to Jade Sleet (Spring/Summer 2023) and Moonstone Sleet (Late 2023/Early 2024), while Jade Sleet’s packages employed a two-part strategy to evade detection.  The first, published under a separate account, created a directory and fetched updates from a remote server, establishing the infrastructure for the second package, likely containing the malicious payload, to execute on the compromised machine.  code of the first package in the pair The second package in the pair acts as a downloader and executor, which retrieves a token from a file created by the first package and uses it to download malicious code from a specific URL, which is then written to a new file on the victim’s machine and executed as a Node.js script, unleashing its malicious functionality.  Code of second package in pair The two-package approach is a shift from the single-package method used in late 2023 and early 2024, where the payload was directly encoded and executed upon installation.

Source: GBHackers

 


Date:

Categorie(s):