North Korean state criminals were observed pushing malicious packages to the npm registry in an attempt to infiltrate software developer endpoints.
This time, they were discovered by cybersecurity researchers from Phylum, who claim that the ultimate goal of the campaign is to steal people’s cryptocurrency.
According to the researchers, the attack began on August 12th of this year. Several malicious npm packages were uploaded, including temp-etherscan-api and two versions of etherscan-api. More than a week later, the bad guys uploaded telegram-con and another version of etherscan-api, and some time later, qq-console. It is likely that there are more packages.
InvisibleFerret and Lazarus
All these npm packages are just a cog in a larger cogwheel of a malicious campaign that the researchers dubbed “Contagious Interview.” The crooks would impersonate a large software development company (either in web2 or web3) and pretend to offer the victims a great new job. Sometimes they would get in touch via LinkedIn, and sometimes via instant messaging platforms like Telegram.
The victims, usually software developers already working on blockchain-based solutions, would be offered a great job with a significant salary increase, and would be invited to a series of interviews. In one of those interviews, they would be asked to download and open a .PDF file or, in this case, an npm package.
These packages implement a piece of Python malware called InvisibleFerret, which can exfiltrate sensitive data from cryptocurrency wallet browser extensions.
Although the researchers never name them, this is a method commonly used by the North Korean state-sponsored group Lazarus.
Lazarus is one of the largest, most disruptive hacking collectives to emerge from North Korea. It is credited with some of the largest cryptocurrency heists in history, including the theft of over $600 million. The country reportedly uses the money to fund its state apparatus and weapons program.
Via The Hacker News