06 August 2024Ravi LakshmananMalware / Windows Security

North Korean hackers

Known as a threat actor linked to North Korea. Moonstone slate Underscoring the persistent nature of their campaigns, malicious npm packages continue to be pushed to the JavaScript package registry with the aim of infecting Windows systems.

The packages in question, Heartfire And Heart hashPublished on July 7, 2024, according to Datadog Security Labs. Both libraries did not attract any downloads and were soon pulled after a short period of time.

The cloud monitoring firm’s security arm is tracking a threat actor called Stressed Pingsan, which shows overlap with a newly discovered North Korean malicious activity cluster called Moonstone Slate.

Cyber ​​security

“While similar in name. today npm package (an Ethereum development utility), its content does not indicate any intent to type it,” DataDog researchers Sebastian Obregoso and Zach Allen said. “The vulnerability-based package reuses code from a well-known GitHub repository. node-config With 6,000 stars and 500 forks, known as config in npm.”

Attack chains orchestrated by adversarial collectives are known to spread fake ZIP archive files linked to fake company names or freelancing websites, tricking potential targets into executing payloads that that request an npm package as part of the technical skills assessment.

“Upon loading, the malicious package used curl to connect to an actor-controlled IP and dropped additional malicious payloads such as SplitLoader,” Microsoft noted In May 2024. “In another incident, Moonstone Sleet provided a malicious npm loader that led to the theft of credentials from LSASS.”

Results after check marks Exposed that Moonstone Sleet is also trying to propagate its packages through the npm registry.

Newly discovered packages are designed to run a preinstall script defined in the package.json file, which in turn checks to see if it is running on a Windows system (“Windows_NT”), after which it installs an external Connects to server(“142.111″). .77[.]196”) to download a DLL file that is being sideloaded. rundll32.exe binary.

The rogue DLL, for its part, does not perform any malicious actions, either by suggesting a trial run of its payload delivery infrastructure or by inadvertently manipulating it before embedding malicious code into it. But was pushed to the registry.

Cyber ​​security

The development comes as South Korea’s National Cyber ​​Security Center (NCSC). warned Cyber ​​attacks by North Korean threat groups have been traced. Andriel And Kumsuki Delivering malware families like Dora RAT and TrollAgent (aka Troll Stealer) as part of a campaign to infiltrate the construction and machinery sectors in the country.

The Dora RAT attack sequence is notable for the fact that Android hackers exploited vulnerabilities in the software update mechanism of homegrown VPN software to spread the malware.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link