North Korean Hackers Deploy New Malware in Attacks on IT Workers

North Korean cybercriminals have significantly escalated a long-running campaign, deploying an arsenal of novel malware strains to target IT professionals. Security researchers describe this as a dynamic "whack-a-mole" operation, where new malicious packages constantly emerge as old ones are detected, all in an effort to steal cryptocurrency and sensitive information.

According to a recent report by U.S. cybersecurity firm Socket, these attackers are leveraging malicious Node Package Manager (npm) packages and advanced malware loaders, uploading them to the popular JavaScript package manager. Their primary tactic involves compromising software engineers' systems through seemingly legitimate job recruitment offers. The npm registry is a widely used repository for JavaScript files and libraries, making it a prime target. When engineers integrate or adapt these packages into their own applications, it creates a risk of not only compromising the initial victim but also potentially many downstream users in what’s known as a supply chain attack.

Socket’s researchers have recently uncovered 67 new malware packages in this ongoing onslaught. Among these are 39 new files that install the HexEval malware loader and 28 that deploy a newly identified loader dubbed "XORIndex." These additions join existing HexEval malware in a persistent effort by North Korean cybercriminals to infiltrate software supply chains and pilfer valuable data, including browser information, cryptocurrency wallets, and credentials. Despite constant detection efforts, the hackers continuously adapt, flooding the npm registry with new malware versions designed to evade security measures.

The scale of the current campaign is significant. The latest malicious packages have already been downloaded more than 17,000 times in total, and dozens of these packages remain active despite efforts to report them and their associated accounts to the npm registry's administrators. This persistence highlights the well-resourced and state-backed nature of these threat actors.

The XORIndex Loader, similar to HexEval, gathers host metadata and decodes its subsequent script. Upon execution, it fetches and runs BeaverTail malware, which then links to a third-stage backdoor known as InvisibleFerret. BeaverTail is an information stealer that specifically targets browser data, macOS keychains, and cryptocurrency wallets, making it a "staple second-stage malware" in the North Korean "Contagious Interview" threat actors' toolkit. Notably, the XORIndex Loader is platform-agnostic, capable of executing across Windows, macOS, and Linux environments.

The "Contagious Interview" campaign involves threat actors posing as recruiters on LinkedIn, seeking to hire software developers. During the "interview process," they send job candidates malicious packages disguised as assignments, which subsequently install the malware. Previous cybersecurity research has linked this campaign directly to the notorious North Korean threat actor, the Lazarus Group.

The Socket report emphasises the relentless nature of these hackers, noting their rapid response to detection by quickly uploading new malware with only minor variations. This "whack-a-mole" dynamic forces security professionals into a constant defensive posture. North Korean cybercriminals have increasingly deployed sophisticated malware and social engineering tactics in recent years, often posing as IT recruiters or even applicants to compromise corporate environments, typically to generate illicit income or steal cryptocurrency.

Socket concludes that "[North Korea’s] focus remains on infiltrating software supply chains and targeting developers, job seekers, and individuals they believe possess cryptocurrency or sensitive credentials.” They stress that "These well-resourced, financially-motivated, and state-backed threat actors do not hesitate to target smaller organisations and individuals."

Given the continuous evolution of these threats, what more can be done to proactively defend against such adaptable and persistent state-sponsored cyberattacks?