North Korea Still Attacking Developers via npm
Contents
North Korea Still Attacking Developers via npm
In the past few weeks, we've observed a renewed surge of activity from groups aligned with North Korean objectives, publishing several packages to npm. This latest wave appears to involve multiple groups or at least exhibits several distinct publication patterns, TTPs (Tactics, Techniques, and Procedures), and attack types we've seen in the past. The renewed surge began on August 12, 2024, with the publication of temp-etherscan-api
and two versions of ethersscan-api
. Approximately a week and a half later, telegram-con
and another version of ethersscan-api
were published. These packages appear to contain similar malware, including qq-console
, published two weeks later on August 27. Behaviors in this campaign lead us to believe that qq-console
is attributable to the North Korean campaign known as "Contagious Interview".
These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers. These include Python scripts and even a full Python interpreter, …
In the past few weeks, we've observed a renewed surge of activity from groups aligned with North Korean objectives, publishing several packages to npm. This latest wave appears to involve multiple groups or at least exhibits several distinct publication patterns, TTPs (Tactics, Techniques, and Procedures), and attack types we've seen in the past. The renewed surge began on August 12, 2024, with the publication of temp-etherscan-api
and two versions of ethersscan-api
. Approximately a week and a half later, telegram-con
and another version of ethersscan-api
were published. These packages appear to contain similar malware, including qq-console
, published two weeks later on August 27. Behaviors in this campaign lead us to believe that qq-console
is attributable to the North Korean campaign known as "Contagious Interview".
These attacks are characterized by multi-stage obfuscated JavaScript that downloads additional malware components from remote servers. These include Python scripts and even a full Python interpreter, …
IoC
0110318f70072171c0edc624c8e8be38892f984b121d6a5a5ced1f6b0b45dbd0
167.88.36.13
2a00838ccd08b26c7948d1dd25c33a114dd81c3bcee3de595783e6f396e7f50e
45.61.158.14
5e5313aaf281c8a8eed29ba2c1aaa5aa65bc174bcd0be466f4533712599db758
94da263d603bf735ab85f829b564261e59a1d13915d21babe58e72435bfe32ab
95.164.17.24
aec21b53ee4ae0b55f5018fc5aaa5a4f095a239a64272ca42047c40ec3c212c0
d4f3113e1e0384bcf37c39678deb196fb5b39f15c4990134b6b8637be74e5a2e
f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa317
f7c142178605102ee56f7e486ba68b97f3f6b522994b24f4116dbbd2abc28cec
http://167.88.36.13
http://45.61.158.14
http://95.164.17.24
http://mirotalk.net
167.88.36.13
2a00838ccd08b26c7948d1dd25c33a114dd81c3bcee3de595783e6f396e7f50e
45.61.158.14
5e5313aaf281c8a8eed29ba2c1aaa5aa65bc174bcd0be466f4533712599db758
94da263d603bf735ab85f829b564261e59a1d13915d21babe58e72435bfe32ab
95.164.17.24
aec21b53ee4ae0b55f5018fc5aaa5a4f095a239a64272ca42047c40ec3c212c0
d4f3113e1e0384bcf37c39678deb196fb5b39f15c4990134b6b8637be74e5a2e
f1f3002dec6e36e692e087626edd9b6b0f95a176c0c204d4703ccb4f425aa317
f7c142178605102ee56f7e486ba68b97f3f6b522994b24f4116dbbd2abc28cec
http://167.88.36.13
http://45.61.158.14
http://95.164.17.24
http://mirotalk.net