North Korean Lazarus Group Unleashes Crypto-Stealing Malware in Sophisticated Campaign
A highly sophisticated North Korean campaign has been uncovered by researchers, aiming to covertly distribute crypto-stealing malware through open source components. The campaign, dubbed Operation Marstech Mayhem, has already affected over 230 victims in the US, Europe, and Asia, according to SecurityScorecard.
Unraveling the Campaign
SecurityScorecard has linked the live campaign to the notorious Lazarus Group, attributing a new “Marstech1” implant to the “SuccessFriend” GitHub profile. This profile has been actively committing both malicious and legitimate software to the developer platform since July 2024.
Moreover, the malware is being spread through npm packages, popular among crypto and Web3 project developers, expanding its reach and impact.
The Marstech1 implant is designed to scan systems for popular wallets like MetaMask, Exodus, and Atomic, altering browser configuration files to inject silent payloads capable of intercepting transactions, as noted by SecurityScorecard.
Sophisticated Evasion Techniques
Lazarus Group has gone to great lengths to avoid detection and analysis of the malware, employing techniques like Base85 encoding and XOR decryption. This makes it challenging for security researchers to identify and mitigate the threat effectively.
The latest iteration of the malicious JavaScript includes various evasion techniques such as control flow flattening, random variable and function names, base64 string encoding, anti-debugging checks, and splitting and recombining strings to slip undetected into the software supply chain.
Adapting Operations
In a display of increased sophistication, Lazarus Group has adapted its infrastructure to evade detection. The group now uses port 3000 for command-and-control communications, shifting from ports 1224 and 1245, and has transitioned to Node.js Express backends instead of React-based control panels.
SecurityScorecard’s SVP of threat research and intelligence, Ryan Sherstobitoff, emphasized the critical evolution of Lazarus Group’s supply chain attacks. He stressed the importance for organizations and developers to adopt proactive security measures, monitor supply chain activities, and integrate advanced threat intelligence solutions to combat sophisticated implant-based attacks orchestrated by threat actors like the Lazarus Group.
As cyber threats continue to evolve rapidly, vigilance and proactive security measures are essential to safeguard against malicious campaigns like Operation Marstech Mayhem.