North Korean Crypto Stealing Campaign Rears Its Head Again
Contents
Veracode Threat Research continues to track a persistent North Korean crypto stealing campaign we last reported on in June 2024. Our continuous monitoring systems recently flagged four suspicious packages but our investigation uncovered and we subsequently blocked a total of twelve malicious packages. We observed encrypted and un-encrypted payloads with different encodings, but always obfuscated and with different obfuscation strategies. We also observed C2 infrastructure and key re-use.
The Journey into the North Korean Crypto Stealing Campaign Begins
Our continuous monitoring systems recently flagged four suspicious packages cloud-binary
, json-cookie-csv
, cloudmedia
and nodemailer-enhancer
, which upon investigation we identified to appear to be similar in nature. In addition to the continued use of port 1224, the reuse of C2 infrastructure and encryption keys as well as code similarities; we were able draw a connection between these packages to the same attacker or possibly two attackers (more on that later). For example we observed this snippet …
The Journey into the North Korean Crypto Stealing Campaign Begins
Our continuous monitoring systems recently flagged four suspicious packages cloud-binary
, json-cookie-csv
, cloudmedia
and nodemailer-enhancer
, which upon investigation we identified to appear to be similar in nature. In addition to the continued use of port 1224, the reuse of C2 infrastructure and encryption keys as well as code similarities; we were able draw a connection between these packages to the same attacker or possibly two attackers (more on that later). For example we observed this snippet …
IoC
http://144.172.105.235:1224/pdown
http://95.216.46.218
http://144.172.106.7:1224
https://api.npoint.io/e5a5e32cdf9bfe7d2386
http://144.172.109.98:1224/client/9/905
http://45.61.128.61:1224
http://135.181.123.177
http://144.172.109.98:1224
http://45.61.165.45:1224
http://144.172.104.10:1224
http://144.172.105.235:1224
http://135.181.123.177/api/service/makelog
http://45.61.128.61:1224/client/5346/1118
http://144.172.105.235:1224/client/5346/324
http://45.61.150.67:1224
45.61.165.45
95.216.46.218
144.172.105.235
135.181.123.177
144.172.109.98
144.172.104.10
144.172.106.7
45.61.150.67
45.61.128.61
f11e5d193372b6986b7333c0367ed2311f7352b94b079220523384a3298f5e87
1c7631aca0c00365e8a7e68dd11045e1d4475c909885d8dccd881f4dce9d0566
0123456789abcdef0123456789abcdef
cf17723e776e880802357825a8a139d6
http://95.216.46.218
http://144.172.106.7:1224
https://api.npoint.io/e5a5e32cdf9bfe7d2386
http://144.172.109.98:1224/client/9/905
http://45.61.128.61:1224
http://135.181.123.177
http://144.172.109.98:1224
http://45.61.165.45:1224
http://144.172.104.10:1224
http://144.172.105.235:1224
http://135.181.123.177/api/service/makelog
http://45.61.128.61:1224/client/5346/1118
http://144.172.105.235:1224/client/5346/324
http://45.61.150.67:1224
45.61.165.45
95.216.46.218
144.172.105.235
135.181.123.177
144.172.109.98
144.172.104.10
144.172.106.7
45.61.150.67
45.61.128.61
f11e5d193372b6986b7333c0367ed2311f7352b94b079220523384a3298f5e87
1c7631aca0c00365e8a7e68dd11045e1d4475c909885d8dccd881f4dce9d0566
0123456789abcdef0123456789abcdef
cf17723e776e880802357825a8a139d6