Home Security North Korean Hackers Moonstone Sleet Push Malicious JS Packages to npm Registry

North Korean Hackers Moonstone Sleet Push Malicious JS Packages to npm Registry

by


Aug 06, 2024Ravie LakshmananMalware / Windows Security

The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns.

The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract any downloads and were shortly pulled after a short period of time.

The security arm of the cloud monitoring firm is tracking the threat actor under the name Stressed Pungsan, which exhibits overlaps with a newly discovered North Korean malicious activity cluster dubbed Moonstone Sleet.

Cybersecurity

“While the name resembles the Hardhat npm package (an Ethereum development utility), its content does not indicate any intention to typosquat it,” Datadog researchers Sebastian Obregoso and Zack Allen said. “The malicious package reuses code from a well-known GitHub repository called node-config with over 6,000 stars and 500 forks, known in npm as config.”

Attack chains orchestrated by the adversarial collective are known to disseminate bogus ZIP archive files via LinkedIn under a fake company name or freelancing websites, enticing prospective targets into executing payloads that invoke an npm package as part of a supposed technical skills assessment.

“When loaded, the malicious package used curl to connect to an actor-controlled IP and drop additional malicious payloads like SplitLoader,” Microsoft noted in May 2024. “In another incident, Moonstone Sleet delivered a malicious npm loader which led to credential theft from LSASS.”

Subsequent findings from Checkmarx uncovered that Moonstone Sleet has also been attempting to spread their packages through the npm registry.

The newly discovered packages are designed to run a pre-install script specified in the package.json file, which, in turn, checks if it’s running on a Windows system (“Windows_NT”), after which it contacts an external server (“142.111.77[.]196”) to download a DLL file that’s side loading using the rundll32.exe binary.

The rogue DLL, for its part, does not perform any malicious actions, suggesting either a trial run of its payload delivery infrastructure or that it was inadvertently pushed to the registry before embedding malicious code into it.

Cybersecurity

The development comes as South Korea’s National Cyber Security Center (NCSC) warned of cyber attacks mounted by North Korean threat groups tracked as Andariel and Kimsuky to deliver malware families such as Dora RAT and TrollAgent (aka Troll Stealer) as part of intrusion campaigns aimed at construction and machinery sectors in the country.

The Dora RAT attack sequence is noteworthy for the fact that the Andariel hackers exploited vulnerabilities in a domestic VPN software’s software update mechanism to propagate the malware.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex