GitHub Developers Targeted by North Korea’s Lazarus Group

The notorious Lazarus Group is behind a social engineering campaign that uses repository invitations and malicious npm packages to target developers on the GitHub platform, according to the Microsoft-owned organization.

In a warning this week, Alexis Wales, vice president of security operations at GitHub, wrote that the North Korean-sponsored group – which also is known as Jade Sleet (by Microsoft) and TraderTraitor (by the U.S. Cybersecurity and Infrastructure Agency, or CISA) – is attacking developers in such industries as cryptocurrency, blockchain, online gambling and cybersecurity.

Lazarus has a history of high-profile attacks in the crypto and blockchain sectors. It was behind the theft of $620 million in crypto assets from the decentralized finance (DeFi) platform used by Sky Mavis’ Axie Infinity video game and it is believed to be responsible for the theft of $100 million from Horizon Bridge, a cross-chain service for transferring assets between Horizon developer Harmony’s blockchain and those of others.

More recently, blockchain analysis group Elliptic said Lazarus likely was responsible for stealing $35 million in cryptocurrency last month from Atomic Wallet, an app for managing crypto on Windows, macOS and Linux distributions and mobile devices running iOS and Android.

“Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms,” Wales wrote.

For several years, CISA has issued warnings and advisories about Lazarus and its operations, noting that North Korea uses cyberattacks to collect information for espionage purposes, run attacks and pull in money for various government initiatives, including its controversial nuclear weapons program.

Fake Personas on Social Media

According to Wales, the social engineering campaign involves Lazarus creating fake persona accounts on GitHub and other social media sites, including LinkedIn, Slack and Telegram, with the threat actors impersonating a developer or recruiter.

“In some cases, these are fake personas; in other cases, they use legitimate accounts that have been taken over by Jade Sleet,” she wrote. “The actor may initiate contact on one platform and then attempt to move the conversation to another platform.”

Once they’ve made contact with one of their targets, they ask the victim to collaborate on a public or private GitHub repository that includes media players and cryptocurrency trading tools. They ask the developer to clone and execute the repository’s contents, which contain malicious npm dependencies.

“The malicious npm packages act as first-stage malware that downloads and executes second-stage malware on the victim’s machine,” Wales wrote.

She pointed to a report from last month by cybersecurity firm Phylum Security that dove deeper into the malicious npm packages. According to the company’s researchers, the packages come in pairs, and the order they’re installed in is important.

“The first package will fetch a token from one of several potential remote servers and store it within a subdirectory of the user’s home directory,” they wrote. “Subsequently, the second package utilizes this token to acquire another script from the remote server.

“Given this workflow, it’s crucial that each package in a pair is executed sequentially, in the correct order, and on the same machine to ensure successful operation.”

They wrote that the campaign is being run by a “reasonably sophisticated supply chain threat actor.” The attack chain includes not only the need for the two packages to be installed in a particular order but that the malicious components are hidden, stored on their servers and dispatched during the attack.

A Disciplined Attack

Wales said Phylum’s research mirrors GitHub’s, noting that the attackers often won’t publish the malicious packages until they put out the invitation to the victim of a fraudulent repository, which keeps the possibility of the package being scrutinized low. Sometimes they’ll deliver the malware directly on a messaging for the file-sharing platform, going around the need for a repository invitation or cloning.

This is only the latest example of threat groups targeting a code repository as part of a software supply-chain attack. By placing malicious code onto GitHub, NPM, PyPI or similar platforms, the attackers create the possibility that a developer will use it in their software, which can affect organizations downstream that run those applications.

Wales wrote that GitHub suspected npm and GitHub accounts associated with the campaign and filed abuse reports with the hosts of domains that were still available when the campaign was detected. She also noted that no GitHub or npm systems were compromised in the campaign.

In addition, the company listed indicators of compromise at the bottom of her blog.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 334 posts and counting.See all posts by jeffrey-burt