- Security researchers discovered a malicious code in NPM and Github Commites packages
- The code was linked to an account operated by Lazarus
- More than 200 victims have been confirmed so far
Lazarus Group, a sadly famous threat actor sponsored by the North Korean state, manages campaign targeting software and web developers with “undetectable” malware.
Cybersecurity researchers at the SecurScorecarde strike said they observed that malware was integrated into GitHub standards and NPM packages, where the developers without distrust collect them and integrate into their own projects.
The researchers said they saw the Github Successfriend profile, known to be linked to Lazarus, injecting JavaScript implants into the GitHub standards, where they mix with legitimate code. To worsen things, the profile also committed a Benin Code, to better hide its malicious intention.
State financing
Malware is distributed inside NPM packages, known as Strike, which are “widely used” by cryptocurrency developers and web3 projects.
The researchers nicknamed the Chaos de Marstech of the campaign, because the malicious software deployed is appointed Marstech1. Once deployed at the termination point of the victim, he analyzes the systems for metamask, exodus and atomic wallets, modifying browser configuration files to inject stealth useful loads which can intercept transactions.
In this spirit, he is sure to say that Lazarus is still responsible for stealing cryptocurrency for the North Korean government. Previous reports said that the government used the stolen crypto to finance its state apparatus, as well as its nuclear weapon program.
So far, Strike has managed to confirm at least 233 victims in the United States, Europe and Asia.
The SVP of the research and intelligence of the threats of SecurScorecard, Ryan Sherstobitoff, said that the MarsTech1 implant is delivered with “layers of layers of layers”, the flattening of control and dynamic dynamic flows Variable in JavaScript, to decryption at XOR on several floors in Python.
He urged organizations and developers to adopt proactive security measures, permanently monitor their supply chain activities and integrate advanced intelligence solutions to mitigate the risk of sophisticated attackers such as Lazarus .
