In the Crosshairs: North Korean Cyberspies Launch Attacks on GitHub Developers

North Korean Lazarus APT Group Launches Impersonation Scam Targeting Developers

Overview

The North Korean state-sponsored Lazarus advanced persistent threat (APT) group has returned with a new social engineering campaign. This time, the group is impersonating developers and recruiters with legitimate GitHub or social media accounts to target a limited group of technology employees. The campaign aims to distribute malware via malicious node package manager (npm) dependencies. While no GitHub or npm systems were compromised, Lazarus is using compromised or fake accounts on platforms such as LinkedIn, Slack, Telegram, and GitHub to carry out this campaign.

About the Lazarus APT Group

Lazarus is a well-known APT group believed to be run by North Korea’s Foreign Intelligence and Reconnaissance Bureau. Their activities date back to 2009, and they are known for both financially motivated attacks to fund the regime of Kim Jong Un and cyber espionage activities. The group often uses job or business opportunities to lure victims working in various industries. In this campaign, Lazarus is specifically targeting developers associated with the blockchain, cryptocurrency, online gambling, and cybersecurity sectors.

The Malicious Campaign

The goal of the Lazarus campaign is to trick victims into cloning and executing the contents of a GitHub repository. The repository contains software with malicious npm dependencies. The themes of the software used by the threat actor include media players and cryptocurrency trading tools. The malicious npm packages act as the first-stage malware, which then downloads and executes the second-stage malware on the victim’s machine.

Implications and Motivations

Lazarus has a history of deploying various types of malware, from remote access trojans (RATs) to ransomware. This APT group constantly adapts and shifts tactics to achieve its malicious goals. In this campaign, the use of npm packages allows Lazarus to target and poison the software supply chain, exploiting vulnerabilities and spreading code dependencies across multiple applications. This approach is becoming popular among threat actors due to its effectiveness.

Security Measures and Mitigation

GitHub has taken action against the campaign by suspending the npm and GitHub accounts associated with it. They have also published indicators of compromise (IoCs) and filed abuse reports with domain hosts. Those potentially affected by the campaign should review their security logs for any signs of accepting repository invites from the identified accounts. If targeted, individuals should promptly notify their employer’s cybersecurity department. Moreover, developers who executed any content as a result of this campaign are advised to reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials and tokens stored on those devices.

Advice for Developers

In general, developers should exercise caution when receiving social media solicitations to collaborate on or install npm packages or software depending on them. This is especially important if the offers come from accounts associated with the sectors identified as targets in this campaign. Developers should thoroughly analyze dependencies and installation scripts, paying careful attention to recently published packages, scripts, or dependencies that establish network connections during installation.

Conclusion

The Lazarus APT group’s impersonation scam targeting developers highlights the ongoing threat of cyber espionage and financial fraud. This campaign demonstrates the group’s ability to adapt and exploit vulnerabilities in the software supply chain. To defend against such attacks, individuals and organizations must stay vigilant, apply the necessary security measures, and prioritize cyber hygiene.