Full Report
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK).
Analysis Summary
# Threat Actor: Famous Chollima
## Attribution & Identity
* **Attribution:** Threat group allegedly aligned with North Korea (DPRK).
* **Associations:** Described as a subgroup of the Lazarus threat actor group.
* **Aliases/Associated Tools:** Primarily associated with the evolution and merging of malware families known as BeaverTail and OtterCookie. Also linked to GolangGhost and PylangGhost in related operations.
## Activity Summary
* **Campaign Name:** Associated with "Contagious Interview" (also known as Deceptive Development).
* **Modus Operandi:** Impersonates hiring organizations and uses social engineering techniques (e.g., fake job offers/interviews) to trick job seekers into installing malicious software.
* **Recent Incident:** A system at an organization headquartered in Sri Lanka was infected after a user was deceived by a fake job offer requiring the installation of a trojanized Node.js application named "Chessfi."
* **Distribution Vector:** Malicious software distributed via a Node.js package named "node-nvm-ssh" on the official NPM repository.
* **Tool Evolution:** BeaverTail and OtterCookie functionalities are merging, with the introduction of new modules.
* **Exploratory Activity:** Discovery of a malicious VS Code extension containing BeaverTail/OtterCookie code, suggesting testing of new delivery methods.
## Tactics, Techniques & Procedures
* **Social Engineering:** Impersonating hiring organizations/recruiters; utilizing fake employment websites and ClickFix social engineering.
* **Initial Access/Delivery:** Distribution via compromised packages on public repositories (NPM: "node-nvm-ssh"). Discovered delivery via a malicious VS Code extension.
* **Execution:** Deployment of trojanized Node.js applications (e.g., "Chessfi").
* **Persistence/Evasion:** Malicious code blends functionality of BeaverTail and OtterCookie.
* **Data Exfiltration/Espionage (New Module):**
* Keylogging (using "node-global-key-listener" package).
* Periodic Desktop Screenshotting (using "screenshot-desktop"). Screenshots converted using "sharp."
* Keystrokes saved to `%TEMP%\\windows-cache\\1.tmp`.
* Screenshots saved to `%TEMP%\\windows-cache\\2.jpeg`.
* **Other Related Payloads:** Mention of using InvisibleFerret (a Python-based modular payload) in concurrent activities.
## Targeting
* **Sectors:** Appears to target job seekers in the technology sector, leading to compromise of organizations where these individuals work.
* **Geography:** One identified campaign infected a system in an organization headquartered in Sri Lanka.
* **Victims:** Job seekers tricked into installing malware; organizations hosting these infected users.
## Tools & Infrastructure
* **Malware Families Used:** BeaverTail, OtterCookie (with new keylogging/screenshotting module), InvisibleFerret (mentioned contextually).
* **Trojanized Applications:** "Chessfi" (Node.js application).
* **Infrastructure (C2 URLs - Defanged):**
* hxxp[://]23[.]227[.]202[.]244:1224/
* hxxp[://]172[.]86[.]88[.]188:1418/
* hxxp[://]172[.]86[.]88[.]188:1476/
* hxxp[://]172[.]86[.]88[.]188/
* hxxp[://]138[.]201[.]50[.]5:5961/
* hxxp[://]135[.]181[.]123[.]177/
* hxxp[://]144[.]172[.]96[.]35/
* hxxp[://]144[.]172[.]112[.]50/
* hxxp[://]172[.]86[.]73[.]46
* hxxp[://]172[.]86[.]113[.]12
* **Download URLs (Mentioned):**
* hxxps[://]www[.]npmjs[.]com/package/node-nvm-ssh
* hxxps[://]bitbucket[.]org/dev-chess/chess-frontend[.]git
## Implications
Famous Chollima continues to demonstrate adaptability by merging existing toolsets (BeaverTail/OtterCookie) and incorporating new espionage capabilities like dedicated keylogging and screenshotting modules. Their focus on supply chain compromise via legitimate developer repositories (NPM) and development tools (VS Code extensions) suggests an evolving technique designed to exploit trust within the software development ecosystem for credential theft and cryptocurrency objectives related to DPRK economic gain.
## Mitigations
* **Software Repository Security:** Strict vetting and scanning of dependencies pulled from public repositories like NPM.
* **Endpoint Detection:** Monitoring for file creation in user temporary directories, specifically the pattern of `.tmp` and `.jpeg` files created rapidly alongside execution of unknown Node.js processes.
* **Eavesdropping Detection:** Deploying defenses capable of detecting process behavior indicative of keylogging (monitoring keyboard/mouse events) and regular screen capturing.
* **Development Tool Security:** Implement controls or scanning specifically targeting malicious extensions installed in IDE environments like VS Code.