North Korean Hackers Expose 26 Compromised npm Packages with Pastebin C2 for Cross-Platform RAT

Post Views: 124

North Korean Hackers Launch New Wave of Attacks Targeting Developers

North Korean hackers have launched a new wave of attacks targeting developers, publishing 26 malicious packages on the npm registry. The packages, masquerading as legitimate developer tools, contain a hidden command-and-control (C2) mechanism that uses Pastebin content as a dead drop resolver. This allows the attackers to deploy a cross-platform remote access trojan (RAT) and credential stealer.

Malicious Packages and Payload

The malicious packages, tracked by researchers under the name StegaBin, were found to have an install script that executes a payload located in a “vendor/scrypt-js/version.js” file. This payload serves as a text steganography decoder, contacting a Pastebin URL to extract the actual C2 domain names. The decoder strips zero-width Unicode characters, reads a 5-digit length marker, and calculates evenly-spaced character positions throughout the text to extract the characters at those positions.

Extracted Characters and C2 Domain Names

The extracted characters are then split to produce an array of C2 domain names, which are hosted on Vercel across 31 deployments. One of the domains, “ext-checkdin.vercel[.]app,” was found to serve a shell script that contacts the same URL to retrieve a RAT component. The Trojan connects to a remote server to await further instructions, allowing the attackers to execute shell commands and deploy a comprehensive intelligence collection suite.

Intelligence Collection Suite

This suite contains nine modules, including tools for Microsoft Visual Studio Code (VS Code) persistence, keylogging, clipboard theft, browser credential harvesting, and Git repository and SSH key exfiltration. The modules use various tactics, such as exploiting VS Code’s “runOn: folderOpen” trigger and scanning the victim’s config directory to write malicious files.

Campaign and Evasion Techniques

The campaign demonstrates a concerted effort by the North Korean actors to bypass automated detection and human review. The use of character-level steganography on Pastebin and multi-stage Vercel routing indicates a refining of their evasion techniques. Researchers note that this latest iteration of the Contagious Interview campaign is more sophisticated than previous waves, which relied on straightforward malicious scripts and Bitbucket-hosted payloads.

Researchers warn that the attackers are likely to continue leveraging multiple techniques and infrastructure to deliver follow-on payloads, making it essential for developers to remain vigilant and implement robust security measures.

Additional Malicious Activity

The disclosure comes as the North Korean actors have also been observed publishing malicious npm packages to fetch next-stage JavaScript payloads hosted on Google Drive.