The Lazarus advanced persistent threat (APT) group, known for its state-sponsored cyberattacks, has recently launched a new impersonation scam targeting tech employees. The group is posing as developers or recruiters with legitimate GitHub or social media accounts to carry out social engineering attacks. Researchers have discovered compromised or fake accounts connected to a “low-volume social engineering campaign” on platforms such as LinkedIn, Slack, Telegram, and GitHub.
The Lazarus APT group, believed to be operated by North Korea’s Foreign Intelligence and Reconnaissance Bureau, has been active since 2009. They are known for conducting financially motivated attacks and cyber espionage operations. In this latest campaign, the group is targeting developers working in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors.
The main objective of the campaign is to trick victims into cloning and executing the contents of a GitHub repository that contains malware. The attackers initiate contact on one platform and then attempt to move the conversation to another platform. They use both fake personae and compromised legitimate accounts to deceive their targets.
Lazarus has a history of using various malware and shifting tactics to achieve its goals. In this campaign, they are using npm packages, which have become popular targets for threat actors due to their potential to spread code dependencies across multiple applications. The malicious packages act as a first-stage malware that then downloads and executes a second-stage malware on the victim’s machine.
GitHub, the platform where the campaign was discovered, has taken action to mitigate the threat. They have suspended the npm and GitHub accounts associated with the campaign and published indicators of compromise (IoCs) in a blog post. GitHub has also filed abuse reports with domain hosts where applicable.
Anyone targeted by the campaign can take steps to protect themselves. They should review their security logs for action:repo.add_member events and contact their employer’s cybersecurity department if they have accepted an invite from one of the identified accounts. If a developer has executed any content as a result of the campaign, it is advised to reset or wipe potentially affected devices, change account passwords, and rotate sensitive credentials or tokens stored on those devices.
Developers should be cautious of social media solicitations to collaborate on or install npm packages, especially if they are associated with the targeted sectors. They should examine dependencies and installation scripts and pay attention to recently published packages or scripts, as well as dependencies that establish network connections during installation.
Overall, the Lazarus APT group’s latest campaign highlights the importance of staying vigilant against social engineering attacks and being cautious when interacting with unknown or suspicious accounts. By following best practices and taking necessary security measures, individuals and organizations can better protect themselves from advanced cyber threats.