GitHub warns of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gaming, and cybersecurity industries to infect their devices with malware.
The campaign was linked to the North Korean state-sponsored Lazarus hacking group, also known as Jade Sleet (Microsoft Threat Intelligence) and TraderTraitor (CISA). THE The US government released a report in 2022 detailing the tactics of threat actors.
The hacking group has a long history of targeting cryptocurrency companies and cybersecurity researchers for cyber espionage and to steal cryptocurrency.
Targeting Developers with Malware
In a new security alert, GitHub warns that the Lazarus group is compromising legitimate accounts or creating fake personas that claim to be developers and recruiters on GitHub and social media.
“GitHub has identified a low-volume social engineering campaign that targets the personal accounts of tech company employees, using a combination of repository invites and malicious npm package dependencies,” GitHub explained. security alert.
These personas are used to contact and initiate conversations with developers and employees in the cryptocurrency, online gambling, and cybersecurity industries. These conversations usually lead to another platform, which previous campaigns were WhatsApp.
After establishing trust with the target, the threat actors invite them to collaborate on a project and clone a GitHub repository themed around media players and cryptocurrency trading tools.
However, GitHub reports that these projects use malicious NPM dependencies that download other malware onto target devices.
Although GitHub only shared malicious NPM packages act as a first stage malware downloader, they referenced a June report by Phylum which goes into more detail regarding malicious NPMs.
According to Phylum, NPMs act as malware downloaders that connect to remote sites for additional payloads to run on the infected machine.
Unfortunately, Phylum researchers were unable to receive the second-stage payloads to see the final malware delivered to the device and analyze the executed malicious behavior.
“Whatever the reason, it is certain to be the work of a reasonably sophisticated supply chain threat actor,” the Phylum researchers concluded.
“One of the distinguishing features of this attack is its unique execution chain requirements: a specific installation order of two separate packages on the same machine.”
“Furthermore, suspected malicious components are hidden, stored on their servers, and distributed dynamically at runtime.”
GitHub says they have suspended all NPM and GitHub accounts and released a complete list of indicators regarding domains, GitHub accounts, and NPM packages associated with the campaign.
The company also points out that no GitHub or npm systems were compromised during this campaign.
This campaign is similar to a Lazarus campaign in January 2021, when threat actors targeted security researchers in social engineering attacks using elaborate fake social media personas of “security researchers” to infect targets with malware.
This was done by convincing researchers to collaborate on vulnerability development by distributing malicious Visual Studio projects for alleged vulnerability exploits that installed a custom backdoor.
A similar campaign was conducted in March 2021 when hackers created a website for a fake company named SecureElite to infect researchers with malware.
Other Past Lazarus Attacks
North Korean hackers have long targeted cryptocurrency companies and developers to steal assets to fund their country’s initiatives.
It was later revealed that the threat actors sent a malicious laced PDF file claiming to be a lucrative job offer for one of the blockchain engineers in this attack.
The use of fake job opportunities to spread malware was also used in a 2020 campaign titled “Operation Dream Jobwhich targeted employees of prominent defense and aerospace companies in the United States.