In a recent analysis of package scanning within the Python Package Index (PyPi) and npm, GuardDog software has successfully identified two malicious packages associated with a North Korean threat actor group known as “Stressed Pungsan.” This cluster of activity exhibits strong ties to Microsoft’s MOONSTONE SLEET, indicating a sophisticated approach to supply chain attacks.
Malicious Packages Uncovered
The identified packages serve as initial access points for malware distribution, facilitating data exfiltration, credential theft, and lateral movement within compromised environments. On July 7, 2024, an npm user by the name of nagasiren978 uploaded two packages, harthat-hash and harthat-api, which were designed to download additional malware from a suspected North Korean command and control (C2) server.
This server is responsible for distributing malicious batch scripts, with a particular focus on Windows systems, aligning with the tactics employed by the MOONSTONE SLEET threat actor group. The two npm packages exhibit similar malicious behavior, utilizing a pre-install script that downloads a harmful DLL from a remote server, executes it via rundll32, and subsequently self-destructs.
Both packages share nearly identical structures, differing only by a unique identifier in the download URL. The harthat-api package masquerades as the legitimate Hardhat package, employing similar naming conventions to deceive users. Despite originating from the reputable node-config repository, the malicious package modifies the package.json file to eliminate the preinstall script and rename itself to config.
Additionally, the package includes two unexplained files, deference.js and pk.json, whose functions remain outside the scope of this analysis. The preinstall script is particularly insidious, downloading a DLL disguised as a temporary file, renaming it to “package.db,” and executing it through the “rundll32” system utility.
Evading Detection
This method, referred to as “System Binary Proxy Execution,” aims to evade detection by cleaning up after itself—deleting the downloaded DLL and restoring the original package.json file to obscure its malicious activities.
The Datadog Security Research team’s examination of the malicious DLL revealed a seemingly innocuous binary with no overtly harmful functionality. It exported two functions, one of which, GenerateKeyW, is anticipated to harbor malicious code. However, both static and dynamic analyses failed to reveal any self-modification or harmful behavior within the DLL.
The lack of discernible malicious code raises questions about the DLL’s purpose, suggesting it may be an incomplete version or a testing iteration, indicating that the threat actor could be experimenting with their operational infrastructure.
Indicators of Compromise
In a recent incident, threat actors managed to compromise targets through the malicious npm packages harthat-api-v1.3.1.zip and harthat-hash-v1.3.3.zip, which likely contained content designed to appear legitimate. The malicious payloads were traced back to the IP address 142.111.77.196. Potential indicators of compromise (IOCs) include the filenames Temp.b (also known as package.db) and its SHA256 hash, d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277.