Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware

A new report from the Socket Research Team reveals that North Korean threat actors, known for the “Contagious Interview” operation, have intensified their malicious activities within the npm ecosystem. The threat actors are deploying new npm packages that deliver the previously identified BeaverTail malware and are introducing new packages with remote access trojan (RAT) loader functionality.

The latest malicious packages employ hexadecimal string encoding, a tactic used to evade both automated detection systems and manual code audits. This indicates a shift in the threat actors’ obfuscation techniques.

Despite the change in obfuscation, the Lazarus Group’s objectives remain the same: to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments.

The threat actors are actively creating new npm accounts and distributing malicious code across various platforms, including the npm registry, GitHub, and Bitbucket.

The report highlights the creation of new npm accounts, such as taras_lakhai, mvitalii, wishorn, and crouch626, in addition to the use of previously identified aliases like alextucker0519, edan0831, and hottblaze. These accounts were used to publish malicious npm packages disguised as utilities for arrays, logging, debugging, or event and API handling.

While the npm registry has suspended most of the identified accounts, taras_lakhai remains active. The Socket Research Team has reported this account and is seeking its removal, along with associated GitHub and Bitbucket repositories and user profiles.

In total, the expanded campaign includes 11 additional malicious packages, which have been downloaded over 5,600 times.

The report provides specific examples of the threat actors’ tactics:

The alextucker0519 account, before its suspension, published the malicious package empty-array-validator, which communicated with a separate command and control (C2) server at 144.172.87[.]27 on port 1224.
The taras_lakhai and mvitalii accounts share the same IP and port combination for their C2 server (45.61.151[.]71 on port 1224), linking these two accounts to the same threat activity.
One of the packages published by the wishorn account, dev-debugger-vite, uses the same obfuscated C2 IP address 185.153.182[.]241 on port 1224.

The report also notes that the identified packages share structural similarities with previous Lazarus operations, including:

Implementation of tight loops to scan browser profile directories and extract private keys.
Silent exfiltration of data through HTTP POST requests to C2 servers.
Use of layered obfuscation, multi-stage payload delivery, and the BeaverTail infostealer.
References to InvisibleFerret as a second-stage backdoor.

The threat actors are also utilizing code repositories on platforms like GitHub and Bitbucket. For example, packages like events-utils, icloud-cod, and react-event-dependency were linked to Bitbucket repositories.

Malicious JavaScript file icloud-cod.js hosted on Bitbucket | Image: Socket

The report suggests that the threat actors create these repositories before publishing the corresponding malicious npm packages, possibly to create “a façade of legitimacy”.

The crouch626 account published four malicious packages, with some employing a new obfuscation technique. This new technique involves a helper function, g(h), that decodes hex-encoded strings to conceal critical information like module names and C2 URLs.

The report emphasizes that the malicious code in these packages functions as a remote access trojan (RAT) loader, using obfuscation and dynamic payload execution to evade detection and deliver second-stage malware.

The threat actors are continuously evolving their tactics, including the use of new obfuscation techniques and the deployment of RAT loader functionality. Developers should exercise caution when using npm packages and be vigilant for suspicious activity.