The North Korean state-sponsored Lazarus advanced persistent threat (APT) group is back with yet another impersonation scam, this time posing as developers or recruiters with legitimate GitHub or social media accounts.
The notorious APT is using these personae in social engineering attacks that target a limited group of tech employees, inviting them to join GitHub development projects that then spread malware via malicious node package manager (npm) dependencies, GitHub is warning.
Researchers have so far identified compromised accounts and/or fake personae connected to the "low-volume social engineering campaign" on LinkedIn, Slack, and Telegram, as well as its own platform, they reported in a recent blog post. No GitHub or npm systems were compromised in the campaign, they added.
Lazarus is a prolific and well-tracked APT, widely thought to be run by North Korea's Foreign Intelligence and Reconnaissance Bureau, whose activities date as far back as 2009. The group has consistently mounted both financially motivated attacks to fund the regime of Kim Jong Un as well as activities to support cyber espionage. It's notorious for dangling job or business opportunities to people working in various industries, with the purpose of cyber espionage or financial fraud. This time, the targeted developer accounts are connected to the blockchain, cryptocurrency, or online gambling sectors, as well as several linked to the cybersecurity sector, the researchers said.
The ultimate goal of the campaign is to get victims to clone and execute the contents of a GitHub repository that spreads a two-stage malware attack.
"In some cases these are fake personas; in other cases, they use legitimate accounts that have been taken over by Jade Sleet," GitHub's Alexis Wales wrote in the post, referring to GitHub's name for Lazarus. "The actor may initiate contact on one platform, and then attempt to move the conversation to another platform."
Poisoning the Software Supply Chain
Lazarus' malware deployed over the years include everything from RATs to ransomware, and the group is known to pivot and shift tactics when needed to continue to survive. Lazarus also keeps track of current vulnerabilities and threat trends and will exploit them if need be to achieve its malicious goals.
That may explain the use of npm packages in the latest campaign, as they've become a popular target for threat actors of late for a few reasons — not the least of which is, it's a way to poison the software supply chain by spreading code dependencies across multiple applications.
The GitHub campaign starts with Lazarus establishing contact with a target and inviting them to collaborate on a GitHub repository. Because the contact appears to be coming from a legitimate account, targets may be convinced by the actor to clone and execute the contents of the repository, which includes software that has malicious npm dependencies, the researchers found.
Software themes used by the threat actor include media players and cryptocurrency trading tools. The malicious packages act as a first-stage malware that downloads and executes second-stage malware on the victim's machine.
GitHub did not go into detail about the malware, punting instead to a blog post by Phylum to describe the mechanics of the first-stage malware used in the attack.
Phylum researchers describe an attack chain spread across a pair of packages that need to be installed in a particular order for the attack to execute, with the first package fetching a token from a remote server and the second package uses the token to acquire a malicious script from the server.
"Given this workflow, it's crucial that each package in a pair is executed sequentially, in the correct order, and on the same machine to ensure successful operation," according to the post.
The malware executes an action that essentially negates TLS certificate validation, described by the post as "a poor security practice that leaves the application vulnerable to man-in-the-middle attacks."
"While we can only speculate, one plausible reason for this action could be to facilitate HTTP requests in corporate settings that have installed their own root certificates," according to Phylum.
Cyberattack Mitigation & Protection
GitHub has suspended both npm and GitHub accounts associated with the campaign and published indicators of compromise in its post. The site also has filed abuse reports with domain hosts in cases where the domain was still available at the time of detection.
Anyone targeted by the campaign can take steps to mitigate it by reviewing their security log for action:repo.add_member events to determine if they have ever accepted an invite to a repository from one of the accounts that GitHub has identified in its IoCs. If someone has in fact been targeted, they should contact their employer's cybersecurity department immediately.
Moreover, if a developer executed any content as a result of this campaign, "it may be prudent to reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials/tokens stored on the potentially affected device," Wales advises.
In general, developers should be wary of social media solicitations to collaborate on or install npm packages or software that depends on them, particularly if they are associated with one of the industry sectors identified as being a target of the campaign.
Developers also can examine dependencies and installation scripts, paying close attention to very recently published, net-new packages or scripts or dependencies that make network connections during installation, according to GitHub.