The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns.
The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract any downloads and were shortly pulled after a short period of time.
The security arm of the cloud monitoring firm is tracking the threat actor under the name Stressed Pungsan, which exhibits overlaps with a newly discovered North Korean malicious activity cluster dubbed Moonstone Sleet.
“While the name resembles the Hardhat npm package (an Ethereum development utility), its content does not indicate any intention to typosquat it,” Datadog researchers Sebastian Obregoso and Zack Allen said. “The malicious package reuses code from a well-known GitHub repository called node-config with over 6,000 stars and 500 forks, known in npm as config.”
Attack chains orchestrated by the adversarial collective are known to disseminate bogus ZIP archive files via LinkedIn under a fake company name or freelancing websites, enticing prospective targets into executing payloads that invoke an npm package as part of a supposed technical skills assessment.
“When loaded, the malicious package used curl to connect to an actor-controlled IP and drop additional malicious payloads like SplitLoader,” Microsoft noted in May 2024. “In another incident, Moonstone Sleet delivered a malicious npm loader which led to credential theft from LSASS.”
Subsequent findings from Checkmarx uncovered that Moonstone Sleet has also been attempting to spread their packages through the npm registry.
The newly discovered packages are designed to run a pre-install script specified in the package.json file, which, in turn, checks if it’s running on a Windows system (“Windows_NT”), after which it contacts an external server (“142.111.77[.]196”) to download a DLL file that’s side loading using the rundll32.exe binary.
The rogue DLL, for its part, does not perform any malicious actions, suggesting either a trial run of its payload delivery infrastructure or that it was inadvertently pushed to the registry before embedding malicious code into it.
The development comes as South Korea’s National Cyber Security Center (NCSC) warned of cyber attacks mounted by North Korean threat groups tracked as Andariel and Kimsuky to deliver malware families such as Dora RAT and TrollAgent (aka Troll Stealer) as part of intrusion campaigns aimed at construction and machinery sectors in the country.
The Dora RAT attack sequence is noteworthy for the fact that the Andariel hackers exploited vulnerabilities in a domestic VPN software’s software update mechanism to propagate the malware.