North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, steal sensitive data, and maintain access to compromised environments. The actors have created new npm accounts and deployed malicious code across npm, GitHub, and Bitbucket. The expanded campaign includes 11 new packages with over 5,600 downloads, using hexadecimal string encoding to evade detection. The malware targets browser data, macOS keychain, and cryptocurrency wallets. The threat actors are diversifying their tactics, using multiple malware variants and obfuscation techniques to ensure resilience and evade detection. Author: AlienVault
Related Tags:
T1059.007
T1608.001
north korea
T1204.002
BeaverTail
InvisibleFerret
T1555.003
T1217
T1119
Associated Indicators:
http://m21gk.wiremockapi.cloud/g/api/880
https://mocki.io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b
185.153.182.241
144.172.87.27
45.61.151.71