North Korea Ups the Ante: Multi-Stage Python Malware Attacks Target Developers Globally

Recent reports have shed light on a concerning cybersecurity threat originating from North Korea, with potential risks extending to countries like Bangladesh. The North Korean threat actor group has been utilizing NPM packages to distribute malware, targeting developers and unsuspecting victims globally. While initial reports highlighted this method of attack, subsequent investigations have delved deeper into the second and third-stage malware involved, providing crucial insights into the evolving nature of this cyber threat landscape.

Key sources such as Phlyum and Palo Alto’s Unit 42 have been instrumental in tracking and analyzing these attacks, offering valuable information to the cybersecurity community. What’s particularly notable is the apparent shift towards employing Python scripts alongside or instead of malicious DLLs, potentially to enhance flexibility and disguise the malicious intent of their actions.

Delving into the technical aspects of these attacks reveals a multi-stage process orchestrated by the threat actors. For instance, the main Python script, typically obtained from a malicious node package, serves as the backbone of the malware deployment. This script, when decoded, reveals functions responsible for downloading and executing subsequent stages of the malware, including browser data-stealing components and backdoor actions.

                                                                                  Browser stealing code

The browser data stealing module, encoded within a Python script named brow_[campaign ID].py, exhibits sophisticated capabilities aimed at extracting sensitive information from various web browsers. These capabilities extend across different operating systems, indicating a concerted effort to target a wide range of users.

Furthermore, the payload Python script, known as pay_[campaign ID].py, comprises two obfuscated components. The first component acts as a triage mechanism, collecting vital device information and transmitting it to the Command and Control (C2) server. The second component contains the bulk of the backdoor actions, establishing connections with C2 servers and executing commands prefixed with “ssh” to carry out malicious activities such as terminating browsers, executing command-line commands, and downloading additional malicious payloads.

Interestingly, the threat actors have also employed additional Python scripts, such as any_[campaign ID] or “adc”, to download and install remote desktop software like AnyDesk, potentially enabling further unauthorized access to compromised systems.

While the techniques employed by the threat actors may seem straightforward, their effectiveness in infiltrating systems and compromising sensitive information underscores the need for robust cybersecurity measures. Organizations and individuals, including those in Bangladesh, must remain vigilant against such threats and take proactive steps to safeguard their systems.

This evolving landscape of cyber threats underscores the importance of continuous monitoring, threat intelligence sharing, and robust cybersecurity practices. By staying informed and implementing appropriate security measures, individuals and organizations can mitigate the risks posed by sophisticated cyber adversaries, ensuring the integrity and security of their digital assets in an increasingly interconnected world.

Share this post
Scroll to Top