A group of more than two dozen malicious npm packages used to steal secrets and credentials from software developers has all the hallmarks – from infrastructure to operations – of Famous Chollima, the North Korean nation-state actor linked to the ongoing high-profile Contagious Interview scam.
Threat researchers with Socket and Kieran Miyamoto of the DPRK Research blog detected the campaign – dubbed “StegaBin” due to its use of Pastebin steganography, a communication technique used by attackers to hide malicious information – late last month, noting that the malicious packages were added to the npm repositories over two days in the last week of February.
“The packages use a Pastebin-based dead-drop resolver that hides C2 infrastructure inside seemingly benign text using character-level steganography,” Socket threat researchers Philipp Burckhardt and Peter van der Zee wrote in a report, noting that the infrastructure for the campaign was hosted on 31 Vercel deployments. “The infection chain retrieves platform-specific shell payloads that ultimately install a Remote Access Trojan (RAT) and automatically deploys a nine-module infostealer toolkit.”
The modules are used to directly target developer environments, such as VSCode configuration, SSH keys, git repositories, browser credential stores, clipboard data, and locally stored secrets, Burckhardt and van der Zee wrote.
Tracking Famous Chollima
Socket researchers over the past year have tracked Famous Chollima – suspected of being a subset of the notorious Lazarus Group that is run by the Democratic People’s Republic of Korea (DPRK) – and its use of malicious npm packages as part of its ever-evolving Contagious Interview campaign, which has been going on for three years and targets developers with fake job interviews and test projects.
In StegaBin, the 26 repositories are typosquats of popular npm libraries – they’re given names that closely resemble and can be mistaken for legitimate repositories – and the “-lint” suffix in eight of the 26 make them appear to be developer tools. Fifteen of the accounts are clustered into three personas – christopher.smith.*47, andrew.*walker*, and joni* — with the other 11 on their own.
The packages each include an install script, which contains both decoy functions to camouflage its presence and the real payload that is designed to blend in as a copy of the legitimate script.
Typosquatting, Obfuscation
The researchers pointed out that the bad actors make a point of declaring the legitimate packages that they’re typosquatting as a dependency, a move that likely has two purposes. The first is to add the air of legitimacy to the structure of the package; the second to delay discovery.
“By proxying the legitimate package into the environment, a victim’s project might still compile and run normally after an accidental installation,” Burckhardt and van der Zee wrote. “Because the application doesn’t immediately break, the developer remains unaware of the mistake while the malicious install script executes the infection chain in the background.”
The malicious payload is heavily obfuscated through RC4 string encryption, array rotation, self-defending anti-debug, and control flow flattening, they added. The core logic includes three hardcoded Pastebin URLs that are used as a fallback chain, and the pastes contain what seems to be a benign essay about computer science.
RATS, Stealers, and Scanners
However, the payload can decode the text steganography, with the decoder scanning the text to find specific characters that together create a number of names for command-and-control (C2) domains.
From there, the malware pulls in platform-specific payloads for a range of operating environments, such as Linux, Windows, and macOS. The shell script used for this also pulls in a remote access trojan (RAT).
Once connected, the C2 deploys a nine-module infostealer toolkit, with modules containing a keylogger, mouse tracker, and clipboard stealer, a Python-based browser stealer, another obfuscated stealer, a TruffleHog scanner, and StegaBin loader. Other modules are used to exfiltrate cryptocurrency, steal information, and establish VSCode persistence.
The modules provide significant capabilities. The keylogger-mouse tracker-clipboard stealer also includes active window title tracking, encrypted local storage, and periodic exfiltration, while crypto wallet stealer targets five browsers – Chrome, Brave, Firefox, Opera, and Microsoft Edge – across all three operating systems.
There are two RATs that exfiltrate files, while another module can collect all files from a SSH directory and reads all stored Git credentials.
Similar to Contagious Interview
StegaBin is essentially another iteration of the techniques used by Famous Chollima in the Contagious Interview campaign. However, there are differences.
“While previous waves of the Contagious Interview campaign relied on relatively straightforward malicious scripts and Bitbucket-hosted payloads, this latest iteration demonstrates a concerted effort to bypass both automated detection and human review,” Burckhardt and van der Zee wrote. “The use of character-level steganography on Pastebin and multi-stage Vercel routing point to an adversary that is refining its evasion techniques and attempting to make its operations more resilient.”
They also pointed to the presence of Hardhat, an Ethereum development environment, in the infection chain, an indication that “cryptocurrency and Web3 developers remain the primary targets of this North Korean cluster.”
“Given the sophistication of this attack and its direct targeting of the developer workspace, organizations must remain vigilant,” they wrote. “Developers should carefully review dependencies and not install untrusted packages blindly.”
