North Korean Hackers Spread BeaverTail Malware Through Malicious npm Packages
A new wave of attacks from North Korean hackers has surfaced, targeting the software development community through malicious npm packages. These packages, associated with the ongoing Contagious Interview campaign, are designed to deliver the BeaverTail malware, as well as a newly discovered remote access trojan (RAT) loader. This campaign is part of a broader effort by the Lazarus Group to infiltrate systems, steal sensitive data, and maintain long-term access to compromised devices.
Table of Contents
Obfuscation Techniques Used to Evade Detection
According to Socket security researcher Kirill Boychenko, these latest samples employ hexadecimal string encoding as an obfuscation technique, making them harder to detect by both automated systems and manual code audits. This update in the malware's evasion strategy shows a clear evolution in the threat actors' methods to bypass security measures.
Malicious Packages Masquerading as Developer Tools
The malicious npm packages were downloaded over 5,600 times before they were removed. Some of the dangerous packages included empty-array-validator, twitterapis, dev-debugger-vite, snore-log, core-pino, events-utils, icloud-cod, cln-logger, node-clog, consolidate-log, and consolidate-logger. These packages were intended to masquerade as legitimate utilities or debuggers but were in fact carrying the malicious payloads.
Stealing Data Through Fake Job Interviews
This disclosure follows a similar incident that occurred a month earlier when six npm packages were discovered spreading BeaverTail, a JavaScript stealer that also delivered a Python-based backdoor called InvisibleFerret. The ultimate goal of these attacks is to infiltrate developer systems under the guise of job interview processes. Once in, the malware steals sensitive information, siphons financial assets, and allows hackers to maintain persistent access to the compromised systems.
Links to Lazarus Group and Phantom Circuit Campaign
One notable package, dev-debugger-vite, used a command-and-control (C2) address that was previously flagged by SecurityScorecard as being associated with the Lazarus Group in a campaign named Phantom Circuit, which occurred in December 2024. Other packages, such as events-utils and icloud-cod, were found to be linked to Bitbucket repositories, diverging from the usual GitHub targets seen in earlier campaigns. This shift, along with the "eiwork_hire" directory found within the icloud-cod package, indicates that the attackers continue to use job interview-related tactics to activate the infection.
Multiple Variants to Maximize Infection Success
An analysis of some of the packages, including cln-logger, node-clog, consolidate-log, and consolidate-logger, revealed small variations in the code. These changes suggest that the threat actors are attempting to increase the success rate of their campaign by deploying multiple malware variants. Despite these differences, the embedded code across these four packages functions as a RAT loader capable of fetching and executing additional payloads from remote servers. At this stage, the exact nature of the malware being loaded remains unclear, as the C2 endpoints were no longer serving payloads when researchers investigated.
RAT Loader Enables Remote Control of Infected Systems
Boychenko described the malicious code as an active loader with RAT capabilities, using eval() to fetch and run remote JavaScript. This method allows the attackers to deploy any follow-up malware of their choosing, making the RAT loader a significant threat in itself.
Contagious Interview Campaign Shows No Signs of Slowing
These findings emphasize the persistence of the Contagious Interview campaign. The attackers have shown no signs of slowing down, continuing to create new npm accounts and deploy malicious code across various platforms like npm, GitHub, and Bitbucket. They have also diversified their tactics, publishing new malware under different aliases, using a mix of repositories, and leveraging well-known malware variants like BeaverTail and InvisibleFerret alongside newer RAT/loader variants.
Tropidoor Malware Emerges in Developer-Targeted Phishing Attacks
Meanwhile, South Korean cybersecurity company AhnLab has recently uncovered another aspect of the campaign. They identified a recruitment-themed phishing attack that delivers BeaverTail, which is then used to deploy a previously undocumented Windows backdoor called Tropidoor. This backdoor, delivered via an npm library hosted on Bitbucket, is capable of performing a wide range of malicious actions. Tropidoor can exfiltrate files, gather information about drives and files, run processes, capture screenshots, and even delete or overwrite files with NULL or junk data.
Advanced Capabilities Suggest Link to Known Lazarus Malware
AhnLab’s analysis found that Tropidoor operates in memory through a downloader and contacts a C2 server to receive instructions. The malware directly uses Windows commands such as schtasks, ping, and reg, which have also been observed in other Lazarus Group malware, such as LightlessCan. This connection further ties the current activity to the North Korean group, which is infamous for its use of sophisticated cyber espionage tactics.
Developers Urged to Stay Vigilant against Supply Chain Attacks
The latest revelations underscore the ongoing threat posed by the Lazarus Group and other APT actors. Developers and users alike need to exercise caution when downloading packages or opening files from unknown or suspicious sources. As these attacks continue to evolve, staying vigilant against phishing campaigns and inspecting dependencies for malicious code is crucial in protecting sensitive information from falling into the wrong hands.