01-30-2025, 09:05 PM
News North Korean hackers impersonated recruiters to steal credentials from over 1,5
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>The Lazarus group, North Korea’s main state-sponsored cyberespionage group, infected more than 1,500 systems around the world in a months-long campaign during which they extracted development credentials, authentication tokens, and passwords stored in browsers.</p>
<p>The attacks, which researchers from SecurityScorecard <a href="https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/">have dubbed Operation Phantom Circuit</a>, started in November 2024 and mainly targeted developers. They involve a social engineering strategy that North Korean hackers have used over the past year to target developers: Impersonating recruiters to trick them into downloading and running malicious code on their systems.</p>
<p>In this case, the attackers copied legitimate applications used in cryptocurrency and authentication systems and set up rogue GitLab repositories for them with backdoored versions of those packages.</p>
<p>“Fake recruiters pretending to be a representative of the maker of that software would reach out to developers for jobs,” Ryan Sherstobitoff, senior vice president of research and threat intelligence at SecurityScorecard, told CSO. “This is where the developer would be tricked into executing the repo thinking they had a legitimate interaction with a recruiter or other technical expert. Once the backdoor was executed it collected data from the system and sent additional payloads to find developers secrets.”</p>
<p>This follows <a href="https://www.csoonline.com/article/3518577/fake-recruitment-campaign-targets-developers-using-trojanized-python-packages.html">a campaign reported in September</a> and also attributed to North Korean hackers, in which developers were similarly targeted with job offers by fake recruiters from known financial firms. The tests given to the victims during the recruitment process involved them finding a bug in a password manager application hosted on GitHub but also involved them first deploying the backdoored code on their system.</p>
<p>Back in April, North Korean attackers used the fake recruiter strategy to trick developers into deploying backdoored Node.js projects on their systems in <a href="https://www.csoonline.com/article/3479795/north-korean-cyberspies-trick-developers-into-installing-malware-with-fake-job-interviews.html">a very similar campaign that was dubbed DEV#POPPER</a>. This highlights that this is a successful strategy that has results and that the attackers are refining their approach over time.</p>
<h2 class="wp-block-heading" id="the-attackers-built-a-layered-infrastructure">The attackers built a layered infrastructure</h2>
<p>Based on data collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the campaign had three waves. In November, attackers targeted 181 developers, primarily from European technology sectors. In December, the campaign expanded globally targeting hundreds of developers, with certain hotspots like India (284 victims). In January, a new wave added 233 more victims, including 110 systems in India’s technology sector alone.</p>
<p>“The attackers exfiltrated critical data, including development credentials, authentication tokens, browser-stored passwords, and system information,” the researchers said. “Once collected by the C2 servers, the data was transferred to Dropbox, where it was organized and stored. Persistent connections to Dropbox highlighted the attackers’ systematic approach, with some servers maintaining active sessions for over five hours.”</p>
<p>Despite using several VPN tunnels for obfuscation, the attacker activity was tracked back to several IP addresses in North Korea. The attackers connected through Astrill VPN endpoints, then through the Oculus Proxy network IPs in Russia and finally to the C&C servers hosted by a company called Stark Industries.</p>
<h2 class="wp-block-heading" id="the-attackers-used-multi-stage-malware">The attackers used multi-stage malware</h2>
<p>The group’s administrative backend for victim data used modern technologies such as React and Node.js and exposed multiple API endpoints for granular operational control and victim sorting. Separate endpoints were used to monitor device details, such as PC names, operating systems, and configurations, to find stolen credentials and activity logs.</p>
<p>“The level of precision and customization in this platform is troubling,” Sherstobitoff said. “It shows a deliberate effort to manage stolen data at scale while evading detection.”</p>
<p>In <a href="https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/">a report earlier in January</a>, SecurityScorecard described some of the malware payloads used by the attackers. The first one is a light downloader dubbed Main99 whose purpose is to connect to the C&C servers and download additional payloads. Another more robust downloader also exists and is dubbed Main5346.</p>
<p>These downloaders execute task-specific payloads, for example, Payload99/73, which collects system data but can also exfiltrate files, upload clipboard data, kill browser processes, and execute additional scripts. Another payload is called Brow99/73 and is aimed at collecting information from browsers, but also passwords from the macOS keychain or AES encryption keys from Windows.</p>
<p>Finally, an implant called MCLIP is a keylogger that also monitors clipboard activity and sends data back to attackers in real-time.</p>
<p>“This campaign is consistent with North Korea’s documented use of cyberattacks to fund state programs,” the SecurityScorecard researchers said. “Between 2017 and 2023, reports estimate that North Korea generated $1.7 billion from cryptocurrency thefts, underscoring the need for global organizations to verify software dependencies and monitor their development environments.”</p>
</div></div></div></div>
https://www.csoonline.com/article/381364...stems.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>The Lazarus group, North Korea’s main state-sponsored cyberespionage group, infected more than 1,500 systems around the world in a months-long campaign during which they extracted development credentials, authentication tokens, and passwords stored in browsers.</p>
<p>The attacks, which researchers from SecurityScorecard <a href="https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/">have dubbed Operation Phantom Circuit</a>, started in November 2024 and mainly targeted developers. They involve a social engineering strategy that North Korean hackers have used over the past year to target developers: Impersonating recruiters to trick them into downloading and running malicious code on their systems.</p>
<p>In this case, the attackers copied legitimate applications used in cryptocurrency and authentication systems and set up rogue GitLab repositories for them with backdoored versions of those packages.</p>
<p>“Fake recruiters pretending to be a representative of the maker of that software would reach out to developers for jobs,” Ryan Sherstobitoff, senior vice president of research and threat intelligence at SecurityScorecard, told CSO. “This is where the developer would be tricked into executing the repo thinking they had a legitimate interaction with a recruiter or other technical expert. Once the backdoor was executed it collected data from the system and sent additional payloads to find developers secrets.”</p>
<p>This follows <a href="https://www.csoonline.com/article/3518577/fake-recruitment-campaign-targets-developers-using-trojanized-python-packages.html">a campaign reported in September</a> and also attributed to North Korean hackers, in which developers were similarly targeted with job offers by fake recruiters from known financial firms. The tests given to the victims during the recruitment process involved them finding a bug in a password manager application hosted on GitHub but also involved them first deploying the backdoored code on their system.</p>
<p>Back in April, North Korean attackers used the fake recruiter strategy to trick developers into deploying backdoored Node.js projects on their systems in <a href="https://www.csoonline.com/article/3479795/north-korean-cyberspies-trick-developers-into-installing-malware-with-fake-job-interviews.html">a very similar campaign that was dubbed DEV#POPPER</a>. This highlights that this is a successful strategy that has results and that the attackers are refining their approach over time.</p>
<h2 class="wp-block-heading" id="the-attackers-built-a-layered-infrastructure">The attackers built a layered infrastructure</h2>
<p>Based on data collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the campaign had three waves. In November, attackers targeted 181 developers, primarily from European technology sectors. In December, the campaign expanded globally targeting hundreds of developers, with certain hotspots like India (284 victims). In January, a new wave added 233 more victims, including 110 systems in India’s technology sector alone.</p>
<p>“The attackers exfiltrated critical data, including development credentials, authentication tokens, browser-stored passwords, and system information,” the researchers said. “Once collected by the C2 servers, the data was transferred to Dropbox, where it was organized and stored. Persistent connections to Dropbox highlighted the attackers’ systematic approach, with some servers maintaining active sessions for over five hours.”</p>
<p>Despite using several VPN tunnels for obfuscation, the attacker activity was tracked back to several IP addresses in North Korea. The attackers connected through Astrill VPN endpoints, then through the Oculus Proxy network IPs in Russia and finally to the C&C servers hosted by a company called Stark Industries.</p>
<h2 class="wp-block-heading" id="the-attackers-used-multi-stage-malware">The attackers used multi-stage malware</h2>
<p>The group’s administrative backend for victim data used modern technologies such as React and Node.js and exposed multiple API endpoints for granular operational control and victim sorting. Separate endpoints were used to monitor device details, such as PC names, operating systems, and configurations, to find stolen credentials and activity logs.</p>
<p>“The level of precision and customization in this platform is troubling,” Sherstobitoff said. “It shows a deliberate effort to manage stolen data at scale while evading detection.”</p>
<p>In <a href="https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/">a report earlier in January</a>, SecurityScorecard described some of the malware payloads used by the attackers. The first one is a light downloader dubbed Main99 whose purpose is to connect to the C&C servers and download additional payloads. Another more robust downloader also exists and is dubbed Main5346.</p>
<p>These downloaders execute task-specific payloads, for example, Payload99/73, which collects system data but can also exfiltrate files, upload clipboard data, kill browser processes, and execute additional scripts. Another payload is called Brow99/73 and is aimed at collecting information from browsers, but also passwords from the macOS keychain or AES encryption keys from Windows.</p>
<p>Finally, an implant called MCLIP is a keylogger that also monitors clipboard activity and sends data back to attackers in real-time.</p>
<p>“This campaign is consistent with North Korea’s documented use of cyberattacks to fund state programs,” the SecurityScorecard researchers said. “Between 2017 and 2023, reports estimate that North Korea generated $1.7 billion from cryptocurrency thefts, underscoring the need for global organizations to verify software dependencies and monitor their development environments.”</p>
</div></div></div></div>
https://www.csoonline.com/article/381364...stems.html