Lazarus Hacker Group Targeting Developers

A North Korea based threat actor targeting personal accounts of technology firms through low-profile social engineering attempts.

This campaign utilizes a combination of repository invitations and a malicious npm package to target the victim’s accounts associated with blockchain, cryptocurrency, or online gambling sectors.

According to the latest article by Github, this campaign actor is linked up with a group likely known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

GitHub confirmed that no GitHub accounts or npm systems accounts were compromised in this campaign. 

Lazarus Group Attack Process

Initially, the threat actor impersonates a developer or recruiter by creating professional profiles on Github and some other social media websites.

They utilize both personal accounts as well as compromised accounts by jade sleet to contact the victims.

The actor may initiate contact on one platform and then switch the conversation to another platform.

Once connected with a target, the threat actor invites the target to collaborate on a GitHub repository and manipulates the target to clone and execute its contents. 

In some cases, the actor may send the malicious software straight through a messaging or file-sharing service, skipping the step of inviting people to the repository and cloning it.

The software in the GitHub source has malicious npm dependencies. Some of the software used by the threat actor are media players and tools for selling cryptocurrencies.

These malicious npm packages download second-stage malware on the victim’s computer. 

The threat actor usually doesn’t post their malicious packages until they send a fake repository invitation. 

Github has suspended npm and GitHub accounts associated with the campaign and shared IOC details on their blog.

The best practice to avoid this campaign is to be cautious of social media solicitations to collaborate on or install npm packages or software that depends on them.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.