New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have been compromising supply chains through the open-source ecosystem.

One of their key tactics is the exploitation of the public npm registry to distribute malicious packages.

Despite the increased exposure and attention this issue has received through our research and that of others in the field, it is evident that these attackers remain undeterred.

Throughout the first and even second quarters of 2024, we observed the continued publication of malicious packages on NPM, which bore striking similarities to those detailed in our previous blog post.

Initially, we believed these packages to continue Jade Sleet’s campaign in late spring and early summer of 2023.

However, new information came to light, making it apparent that a new threat actor was emerging on the scene, according to a report from Checkmarx.

• Moonstone Sleet Emerges: Moonstone Sleet, a newly identified North Korean threat actor, has entered the scene, targeting the open-source software supply chain with tactics similar to other well-known North Korean groups.
• Malicious NPM Packages: Among Moonstone Sleet’s key tactics is the distribution of malware through malicious NPM packages published on the public NPM registry, exposing a wide range of developers to potential compromise.
• Ongoing Threat: Moonstone Sleet, Jade Sleet, and other North Korean state-sponsored actors’ ongoing activities underscore the constant threat to the open-source ecosystem.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Recent Developments

In a recent publication, Microsoft highlighted a new rising North Korean threat actor named Moonstone Sleet.

This actor employs various tactics, techniques, and procedures (TTPs) to target companies for financial gain and cyber espionage.

Many of these TTPs utilized by Moonstone Sleet closely resemble those employed by other North Korean threat actors.  

Several Indicators of Compromise (IOCs) shared in Microsoft’s blog closely resemble those mentioned in our December blog post and recent publications by Phylum.

This shows that, in addition to delivering malicious npm packages through freelancing websites and platforms like LinkedIn, Moonstone Sleet has also been attempting to spread their malicious packages through the public npm registry.

This tactic allows them to reach a wider audience potentially and increases the likelihood of their malicious packages being installed by unsuspecting developers.

The malicious npm packages discovered during the spring and early summer of 2023, affiliated with Jade Sleet, and those found in late 2023 to early 2024, containing IOCs linking them to the Moonstone Sleet group, exhibit distinct code style and structure differences.

These differences offer interesting insights into the varying strategies used by different groups when targeting the open-source software supply chain.

Packages Attributed to Jade Sleet

Jade Sleet’s packages, discovered throughout the summer of 2023, were designed to work in pairs. Each pair was published by a separate npm user account to distribute its malicious functionality.

This approach was used to make it more challenging to detect and trace the malicious activity back to a single source.

• First Package: Created a directory on the victim’s machine, fetched updates from a remote server, and saved them in a file within the newly created directory.
• This package laid the groundwork for the second package to execute its malicious payload.

• Second Package: Upon execution, read a token from the file created by the first package.
• It then requests a specific URL, passing the token as a parameter.
• The response from this request, likely containing additional malicious code, would be written to another file on the victim’s machine.
• Finally, the second package would immediately execute this newly written file as a Node.js script, unleashing the full extent of the malicious functionality.

Packages Attributed to Moonstone Sleet

In contrast, the packages published throughout late 2023 and early 2024 adopted a more streamlined single-package approach which would execute its payload immediately upon installation.

The malicious payload was encoded within string constants and included OS-specific code, executing only if it detected that it was running on a Windows machine.

• Malicious Payload Execution: The malicious payload downloads a file from a remote server, decrypts it using a byte-wise XOR operation, renames the decrypted file, and executes it using rundll32.
• It then cleans up by deleting the temporary files and replacing the malicious package.json with a clean version.

Changes in the Attack Flow in the Second Quarter of 2024

In the second quarter of 2024, the packages increased in complexity, with the attackers adding obfuscation and having it target Linux systems as well.

The following code would be executed if the OS was detected as Linux.

The frequent publication of malicious packages on npm by North Korean threat actors underscores the persistent nature of their campaign.

By continually adapting their tactics and techniques, they aim to evade detection and enhance their odds of breaching targeted systems.

As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks.

We can work towards a safer and more secure open-source ecosystem for all through collective effort and proactive measures.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free