Lazarus Group Strikes Again: Npm Packages Weaponized in Supply Chain Attack

by · Published · Updated

The Chinese cybersecurity firm QiAnXin has identified a new campaign by the Lazarus group, which employs npm packages to launch supply chain attacks through a multi-tiered loading method to conceal the traces of their incursions.

Researchers, by analyzing the characteristics of the sample loaders and related specimens, have linked these to the modus operandi of previous Lazarus group attacks, noting the group’s penchant for targeting supply chains.

This multi-tiered malicious software loading approach encompasses several stages:

  1. The download and decryption of an embedded PE file containing the code for the second stage of loading. Decryption is typically executed using XOR encryption.
  2. The download and execution of a secondary PE file, which establishes communication with a C2 server and delivers the subsequent payload.

This stratagem enables the attackers to obfuscate their tracks from antivirus software. If the antivirus detects the initial PE file, it might prevent its execution. However, if it fails to recognize this file, the more dangerous secondary PE file remains undetected.

The samples also employ obfuscation techniques for communicating with the C2 server to evade detection and analysis, notably using RSA encryption. Another obfuscation method involves compression techniques using the gzip algorithm, complicating the analysis of the communication content.

The ensuing payloads of these loaders are trojans capable of pilfering sensitive information (credentials, financial, and personal data) and executing remote commands (including installing other malware, monitoring user activity, and seizing control of the victim’s computer).

Given the multi-tiered loading method and the characteristics of communication with the C2 server, the attackers are likely attempting to conceal the attack’s traces and reduce the risk of detection of subsequent payloads. Considering the connection to Lazarus, it is probable that the attackers will exploit this method for further incursions.

Tags: