Mar 14, 2024NewsroomCyber Threat / Malware

The threat actor known as Blind Eagle has been observed using a loader malware called Ande Loader to deliver remote access trojans (RATs) like Remcos RAT and NjRAT.

The attacks, which take the form of phishing emails, targeted Spanish-speaking users in the manufacturing industry based in North America, eSentire said.

Blind Eagle (aka APT-C-36) is a financially motivated threat actor that has a history of orchestrating cyber attacks against entities in Colombia and Ecuador to deliver an assortment of RATs, including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT.

The latest findings mark an expansion of the threat actor’s targeting footprint, while also leveraging phishing bearing RAR and BZ2 archives to activate the infection chain.

The password-protected RAR archives come with a malicious Visual Basic Script (VBScript) file that’s responsible for establishing persistence in the Windows Startup folder and launching the Ande Loader, which, in turn, loads the Remcos RAT payload.

In an alternative attack sequence observed by the Canadian cybersecurity firm, a BZ2 archive containing a VBScript file is distributed via a Discord content delivery network (CDN) link. The Ande Loader malware, in this case, drops NjRAT instead of Remcos RAT.

“Blind Eagle threat actor(s) have been using crypters written by Roda and Pjoao1578,” eSentire said. “One of the crypters developed by Roda has the hardcoded server hosting both injector components of the crypter and additional malware that was used in the Blind Eagle campaign.”

The development comes as SonicWall shed light on the inner workings of another loader malware family called DBatLoader, detailing its use of a legitimate-but-vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to terminate security software as part of a Bring Your Own Vulnerable Driver (BYOVD) attack and ultimately deliver Remcos RAT.

“The malware is received inside an archive as an email attachment and is highly obfuscated, containing multiple layers of encryption data,” the company noted earlier this month.

Feb 26, 2024The Hacker NewsSoftware Security / Cryptocurrency

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show.

The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils.

One of the packages in question, execution-time-async, masquerades as its legitimate counterpart execution-time, a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code.

It “actually installs several malicious scripts including a cryptocurrency and credential stealer,” Phylum said, describing the campaign as a software supply chain attack targeting software developers. The package was downloaded 302 times since February 4, 2024, before being taken down.

In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch next-stage payloads from a remote server, steal credentials from web browsers like Brave, Google Chrome, and Opera, and retrieve a Python script, which, in turn, downloads other scripts –

• ~/.n2/pay, which can run arbitrary commands, download and launch ~/.n2/bow and ~/.n2/adc, terminate Brave and Google Chrome, and even delete itself
• ~/.n2/bow, which is a Python-based browser password stealer
• ~/.n2/adc, which installs AnyDesk on Windows

Phylum said it identified comments in the source code (“/Users/ninoacuna/”) that made it possible to track down a now-deleted GitHub profile with the same name (“Nino Acuna” or binaryExDev) containing a repository called File-Uploader.

Present within the repository were Python scripts referencing the same IP addresses (162.218.114[.]83 – subsequently changed to 45.61.169[.]99) used to fetch the aforementioned Python scripts.

It’s suspected that the attack is a work in progress, as at least four more packages with identical features have made their way to the npm package repository, attracting a total of 325 downloads –

Connections to North Korean Actors Emerge

Phylum, which also analyzed the two GitHub accounts that binaryExDev follows, uncovered another repository known as mave-finance-org/auth-playground, which has been forked no less than a dozen times by other accounts.

While forking a repository in itself isn’t unusual, an unusual aspect of some of these forked repositories were that they were renamed as “auth-demo” or “auth-challenge,” raising the possibility that the original repository may have been shared as part of a coding test for a job interview.

The repository was later moved to banus-finance-org/auth-sandbox, Dexbanus-org/live-coding-sandbox, and mave-finance/next-assessment, indicating attempts to actively get around GitHub’s takedown attempts. All these accounts have been removed.

What’s more, the next-assessment package was found to contain a dependency “json-mock-config-server” that’s not listed on the npm registry, but rather served directly from the domain npm.mave[.]finance.

It’s worth noting that Banus claims to be a decentralized perpetual spot exchange based in Hong Kong, with the company even posting a job opportunity for a senior frontend developer on February 21, 2024. It’s currently not clear if this is a genuine job opening or if it’s an elaborate social engineering scheme.

The connections to North Korean threat actors come from the fact that the obfuscated JavaScript embedded in the npm package overlaps with another JavaScript-based malware dubbed BeaverTail that’s propagated via npm packages. The campaign was codenamed Contagious Interview by Palo Alto Networks Unit 42 in November 2023.

Contagious Interview is a little different from Operation Dream Job – which is linked to the Lazarus Group – in that it’s mainly focused on targeting developers through fake identities in freelance job portals to trick them into installing rogue npm packages, Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42, told The Hacker News at the time.

One of the developers who fell victim to the campaign has since confirmed to Phylum that the repository is shared under the guise of a live coding interview, although they said they never installed it on their system.

“More than ever, it is important for both individual developers as well as software development organizations to remain vigilant against these attacks in open-source code,” the company said.

Feb 20, 2024NewsroomHacking / Cyber Espionage

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world.

In a joint advisory published by Germany’s Federal Office for the Protection of the Constitution (BfV) and South Korea’s National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a “cost-effective” manner.

“The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines,” they noted.

The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called Dream Job. The campaign has been ongoing since August 2020 over several waves.

In these attacks, the threat actors either create a fake profile or leverage legitimate-but-compromised profiles on platforms like LinkedIn to approach prospective targets and build trust with them, before offering lucrative job opportunities and shifting the conversation to a different messaging service like WhatsApp to initiate the recruitment process.

Victims are then sent coding assignments and job offer documents laden with malware that, when launched, activate the infection procedure to compromise their computers.

“Universally, the circumstance that employees usually do not talk to their colleagues or employer about job offers plays into the hands of the attacker,” the agencies said.

“The Lazarus Group changed its tools throughout the campaign and demonstrated more than once that it is capable of developing whatever is necessary to suit the situation.”

The second case concerns an intrusion into a defense research center towards the end of 2022 by executing a software supply chain attack against an unnamed company responsible for maintaining one of the research center’s web servers.

“The cyber actor further infiltrated the research facility by deploying remote-control malware through a patch management system (PMS) of the research center, and stole various account information of business portals and email contents,” the BfV and NIS said.

The breach, which was carried by another North Korea-based threat actor, unfolded over five stages –

• Hack into the web server maintenance company, steal SSH credentials, and gain remote access to the research center’s server
• Download additional malicious tooling using curl commands, including a tunneling software and a Python-based downloader
• Conduct lateral movement and plunder employee account credentials
• Leverage the stolen security manager’s account information to unsuccessfully distribute a trojanized update that comes with capabilities to upload and download files, execute code, and to collect system information
• Persist within target environment by weaponizing a file upload vulnerability in the website to deploy a web shell for remote access and send spear-phishing emails

“The actor avoided carrying out a direct attack against its target, which maintained a high level of security, but rather made an initial attack against its vendor, the maintenance and repair company,” the agencies explained. “This indicates that the actor took advantage of the trustful relationship between the two entities.”

The security bulletin is the second to be published by BfV and NIS in as many years. In March 2023, the agencies warned of Kimsuky actors using rogue browser extensions to steal users’ Gmail inboxes. Kimsuky was sanctioned by the U.S. government in November 2023.

The development comes as blockchain analytics firm Chainalysis revealed that the Lazarus Group has switched to using YoMix bitcoin mixer to launder stolen proceeds following the shutdown of Sinbad late last year, indicating their ability to adapt their modus operandi in response to law enforcement actions.

“Sinbad became a preferred mixer for North Korea-affiliated hackers in 2022, soon after the sanctioning of Tornado Cash, which had previously been the go-to for these sophisticated cybercriminals,” the company said. “With Sinbad out of the picture, Bitcoin-based mixer YoMix has acted as a replacement.”

The malicious activities are the work of a plethora of North Korean hacking units operating under the broad Lazarus umbrella, which are known to engage in an array of hacking operations ranging from cyber espionage to cryptocurrency thefts, ransomware, and supply chain attacks to achieve their strategic goals.

Jan 22, 2024NewsroomCyber Attack / Hacking

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

The group is known for its targeting of governments and defectors, leveraging spear-phishing lures to deliver RokRAT and other backdoors with the ultimate goal of covert intelligence gathering in pursuit of North Korea’s strategic interests.

In August 2023, ScarCruft was linked to an attack on Russian missile engineering company NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a “highly desirable strategic espionage mission” designed to benefit its controversial missile program.

Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi likely in an effort to circumvent detection in response to public disclosure about its tactics and techniques.

“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.

“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”

Jan 05, 2024NewsroomEndpoint Security / Malware

Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors.

“SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control] server,” security researcher Greg Lesnewich said.

The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host.

It’s worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz.

In recent months, the threat actor has been observed combining disparate pieces of these two infection chains, leveraging RustBucket droppers to deliver KANDYKORN.

The latest findings are another sign that North Korean threat actors are increasingly setting their sights on macOS to infiltrate high-value targets, particularly those within the cryptocurrency and the blockchain industries.

“TA444 keeps running fast and furious with these new macOS malware families,” Lesnewich said.

Security researcher Patrick Wardle, who shared additional insights into the inner workings of SpectralBlur, said the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia.

The functional similarities between KANDYKORN and SpectralBlur have raised the possibility that they may have been built by different developers keeping the same requirements in mind.

What makes the malware stand out are its attempts to hinder analysis and evade detection while using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.

The disclosure comes as a total of 21 new malware families designed to target macOS systems, including ransomware, information stealers, remote access trojans, and nation-state-backed malware, were discovered in 2023, up from 13 identified in 2022.

“With the continued growth and popularity of macOS (especially in the enterprise!), 2024 will surely bring a bevy of new macOS malware,” Wardle noted.