North Korea’s Post-Infection Python Payloads
Contents
Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail.
A few good sources that showcase the progression of the security community’s understanding of this attack workflow include:
– Phlyum, which has been tracking this threat since last year
– Palo Alto’s Unit 42, which provided additional information in November 2023
– A Medium post detailing a similar attack to the ones described above and in this blog post
Interestingly, it appears that the threat actors may have either moved to – or begun using in parallel – a series of Python scripts for this attack instead of solely delivering malicious DLLs (as observed by Phylum researchers in their original reports). This …
A few good sources that showcase the progression of the security community’s understanding of this attack workflow include:
– Phlyum, which has been tracking this threat since last year
– Palo Alto’s Unit 42, which provided additional information in November 2023
– A Medium post detailing a similar attack to the ones described above and in this blog post
Interestingly, it appears that the threat actors may have either moved to – or begun using in parallel – a series of Python scripts for this attack instead of solely delivering malicious DLLs (as observed by Phylum researchers in their original reports). This …
IoC
72400a957654371be9363fdd2753ffea8f240a8b3e6e03edc116f8da96fa3ce4
8b2f2fad1d1f1e6ad915ea2224dd9f8544edf4aaf910ab9b3a3112cc5806f16d
ba47df4e0cccdff1c6e81b7a9e347ac094efc8c94caab3f53ed0bd32d0293bf0
8b2f2fad1d1f1e6ad915ea2224dd9f8544edf4aaf910ab9b3a3112cc5806f16d
ba47df4e0cccdff1c6e81b7a9e347ac094efc8c94caab3f53ed0bd32d0293bf0