The Lazarus Group, a hacking conglomerate notorious for its ties to North Korea, has resurfaced. This time they are targeting the JavaScript ecosystem, installing malware in JavaScript packages to pilfer digital assets. According to Socket, a renowned code security platform, Lazarus has deployed six malicious packages aimed at the Node Packaging Manager (npm), a tool for installing and managing JavaScript packages. The malware serves multiple functions, pilfering digital asset data, other confidential information, and installing a backdoor for future exploitation.
As of last week, unsuspecting individuals had downloaded these tainted packages roughly 330 times. Lazarus has ingeniously designed these packages to emulate trusted libraries that developers have utilized for years, a tactic known as typosquatting. To further promote legitimacy, the group maintains GitHub repositories for five out of six of these packages. Socket has since requested GitHub to remove these repositories.
Although attributing this malware to Lazarus with absolute certainty is challenging, the Socket team believes that the similarities in obfuscation techniques, script functionality, command and control mechanisms, and data theft techniques used in previous Lazarus attacks are too striking to ignore.
The malware, once installed, sifts through browser profiles on Chrome, Firefox, and Brave, and keychain archives on macOS, extracting sensitive files such as login data. It also targets digital asset wallets, particularly Exodus wallets and applications based on Solana. This is not a novel strategy for Lazarus, which has previously used similar tactics to infiltrate both personal and corporate networks, draining their digital asset wallets. Notably, they were credited with the $1.4 billion hack of the popular exchange Bybit, the largest digital asset theft to date.
Meanwhile, a separate report from cybersecurity firm Kaspersky reveals a worrying trend of cybercriminals blackmailing YouTubers into promoting cryptojacking malware in their video descriptions. These criminals are exploiting tools designed to bypass geo-restrictions and internet blocks, a need that has grown increasingly common due to internet restrictions imposed by governments such as Russia and China. Over the past six months, Kaspersky has detected more than 2.4 million drivers related to these bypassing tools.
Now these attackers are blackmailing YouTubers to gain a wider reach. In one case, a YouTuber with over 60,000 subscribers had their videos reported for alleged copyright infringement. The attackers then offered to withdraw their complaint if the YouTuber agreed to include a link to the attackers’ resources in their video descriptions. Unbeknownst to the YouTuber, this link led to a malicious website containing cryptojacking malware and other stealers.
The cryptojacking malware is based on XMRig, an open-source miner that criminals have long exploited to mine digital assets on victims’ PCs. Although cryptojacking is not as widespread as it once was, it continues to pose a significant threat, with one cryptojacking strain recently infecting over 750,000 unique digital asset addresses. As these threats persist, the importance of cybersecurity fundamentals in today’s digital age is more crucial than ever.
