In an era where digital warfare is as impactful, if not more so, than conventional warfare, one country has been consistently evolving its cyber-attack strategies, mainly focusing on supply chain compromises. Recent investigations have uncovered North Korean state-sponsored groups carrying out sophisticated supply chain attacks, leveraging various techniques to infiltrate organizations and compromise their software supply chains. This blog delves into the intricacies of these attacks and sheds light on the evolving tactics employed by North Korean threat actors. In this blog we will link new attacks affiliated to their recent attacks.
- Attack Strategies: In 2023, North Korea displayed significant activity by utilizing various strategies to undermine global supply chains.
- Public open source poisoning: These attacks focus on exploiting the trust in shared code repositories, such as open-source packages available on NPM, PyPi, etc.
- Private packages poisoning using GitHub Platform: A more sophisticated approach, where the attackers utilize GitHub as a distribution channel for the malicious software.
Package Manager Exploitation
An attack vector increasingly leveraged by North Korean-backed threat actors, such as the Lazarus group, is the infiltration of open-source packages on widely used package managers like Pypi and NPM. This approach capitalizes on the inherent trust within the developer community in shared code repositories, making them attractive targets for initial breaches. As these threat actors can compromise popular packages or inject malicious code into lesser-known ones to exploit this trust, we predict a marked increase in the usage of this attack vector by North Korean operatives into 2024. Such a tactic not only undermines the integrity of these trusted repositories but also poses a significant and evolving threat to software supply chains globally.
Recent Supply Chain Attack on NPM Package Manager
In a recent supply chain attack, threat actors began publishing malicious packages related to Crypto on NPM. Despite continuous detection and removal of these packages, the attackers persisted in uploading additional packages, using the same tactics for their attack.
Malicious code within these packages would execute upon package installation and fetch a second-stage payload from a remote location. This second-stage payload was later linked to recent known Lazarus activities.
Linking the C2 used in the NPM attack with the Lazarus Gang
The package.json file within these NPM packages contained a preinstall script that automatically initiated upon package installation, which later deleted itself to remove all evidence.
Preinstall script within the package.json file
The malicious script specifically targets Windows machines and has a multi-step process. First, it confirms the operating system type and then writes the contents of the data variable into a file named preinstall.bat, and the contents of the psdata variable into a file named preinstall.ps1. These files are then used later in the attack.
The script then downloads a file named npm.mov from a hard-coded IP address and saves it as sqlite.a locally. It then executes a PowerShell script, which sets the execution policy to Bypass to avoid restrictions on running scripts. The \wait flag is also used to ensure that the PowerShell script is completed before continuing.
The executed PowerShell script goes on to define two paths, $path1 and $path2, to files in the current directory called sqlite.a and sql.tmp, respectively. If the sqlite.a file existed, it reads all the bytes from it into a variable named $bytes.
The data within the $bytes variable then goes through a sort of decryption operation, where the decrypted data is then written to the file at $path2 (sql.tmp). The Powershell script ends with forcibly removing the original sqlite.a file from the system.
The main script then checks if a file named preinstall.db already existed, and if so, deletes it. The decrypted file, sql.tmp, is then renamed to preinstall.db.
The native Windows command rundll32 is then used to execute a function named CalculateSum within the preinstall.db file, passing the argument 4096. The way preinstall.db is executed indicates that it is actually a DLL file and not a database file. After execution the preinstall.db is deleted as well.
The script moves on to confirm if a file named pk.json is found, and if so, deletes a file named package.json and then renames the pk.json to package.json. This renaming step is significant because it removes the preinstall script from the package.json file.
This entire attack chain originates from the preinstall hook of the package.json file. Consequently, if the package was installed and inspected, it would appear as a benign package.json file without any install hooks. The index.js file, responsible for creating the batch file and PowerShell scripts, would also be absent. During the execution of these files, all intermediate files are deleted, leaving no evidence of maliciousness.
To cover their tracks, the batch file (preinstall.bat) and the index.js file are deleted, completing the execution of the batch file. This brings the process back to the original package.json file. In the final step, the preinstall.bat file is deleted, and the preinstall hook concludes by deleting the index.js file, which contained the second stage of malware.
The following are the packages related to this campaign (some of which were also reported by Phylum):
|6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6
Direct Exploitation via the GitHub Platform
Attack flow of Contagious Interview operation
A recent operation named “Contagious Interview” was exposed and attributed to North Korea-backed threat actors. This operation stands out for its sophisticated social engineering tactic and involves targeting software developers by pretending to be potential employers.
The threat actors behind Contagious Interview created multiple identities to host several GitHub repositories, establishing an infrastructure aimed at gaining the trust of their intended victims. However, a closer examination reveals that these GitHub repositories are not as trustworthy as they might initially appear.
We have been tracking multiple instances of repos involved in those attacks and located Reddit users sharing their experiences of falling victim to this operation. Several users reported being approached by attackers pretending to be potential employers on the Fiverr platform.
These victims were tricked into downloading malicious NPM packages directly from a GitHub repository, disguised as job interview tasks. These packages, once installed, release malware that compromises the user's computer, steals sensitive data, goes after cryptocurrency wallets, and establishes a backdoor for ongoing access.
One of the victims on Reddit
This tactic not only leverages the trust developers place in GitHub as a reliable source for software tools but also adds an element of credibility to the attackers' scheme. The use of GitHub as a distribution channel complicates the task for developers in distinguishing between legitimate and harmful packages.
A repository that has been forked from what may have been the fake employer's GitHub repository, which contained malicious code injected into an NPM file. This is just one of the many examples of repositories that contain similar code.
How Current GitHub Vulnerabilities Can Be Exploited to Increase the Success of Cyber Attacks
The revelation of the Contagious Interview brings to the forefront an important cybersecurity concern we've previously discussed on the manipulation of GitHub profiles and repositories by malicious actors. These tactics, which include the fabrication of legitimate-looking GitHub profiles and the inflation of repository popularity metrics like star counts, are critical tools for attackers seeking to establish trust and credibility in the open source ecosystem. This strategy is particularly relevant to the North Korean-backed campaigns, highlighting a significant risk: there's an ongoing possibility that these or similar threat actors could be leveraging such deceptions to enhance the effectiveness of their operations. As these campaigns demonstrate, the sophistication and success of cyber threats are often grounded in their ability to convincingly mimic legitimacy and exploit trust within the community.
A GitHub repository, maintained by one of the fraudulent job seekers, contains commits that were made before the user even joined GitHub. This suggests that they used fake commits.
The year 2023 has been marked by an upsurge in North Korean cyber activities targeting global supply chains. In just the past month, there have been numerous reports of sophisticated supply chain attacks carried out by threat actors aligned with North Korea.
The operations demonstrated in the blog show the lengths to which groups, especially those backed by state nations like North Korea, will go to achieve their objectives. Understanding the intricacies of these operations is crucial in developing effective defenses against such sophisticated threats.
Job applicants should exercise due diligence in verifying the existence and legitimacy of companies offering job interviews.
As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and promptly alert our customers to help protect them.