Full Report
The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to the North Korean threat actor, Lazarus Group. Associated with profiles/identities used in the delivery mechanism, such as the GitHub profile "SuccessFriend."
## Activity Summary
Lazarus Group is currently executing targeted attacks dubbed **"Marstech Mayhem"** against developers. These attacks involve deploying a previously undocumented JavaScript implant named **Marstech1**. The malware was distributed via an open-source code repository on GitHub associated with the "SuccessFriend" profile. The activity showcasing the implant first emerged in late December 2024. The campaign has resulted in 233 confirmed victims.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Implanting the Marstech1 JavaScript in open-source NPM packages related to cryptocurrency projects.
- **Repository-Based Distribution:** Committing both obfuscated and pre-obfuscated payloads to various GitHub repositories.
- **Evasion Techniques:** Employing layered obfuscation, including control flow flattening and dynamic variable renaming in JavaScript, and multi-stage XOR decryption in Python.
- **System Configuration Modification:** Searching Chromium-based browser directories across different operating systems to alter extension-related settings, specifically targeting settings relevant to the MetaMask cryptocurrency wallet.
- **Staged Payloads:** Capable of downloading additional payloads from the C2 infrastructure.
## Targeting
- **Sectors:** Cryptocurrency space (market-making companies, software development companies, potentially developers generally).
- **Geography:** U.S., Europe, and Asia (across 233 confirmed victims).
- **Victims:** Developers, utilizing development pipelines (GitHub, NPM). Targeted cryptocurrency wallets include MetaMask, Exodus, and Atomic.
## Tools & Infrastructure
- **Malware families used:** Marstech1 (JavaScript implant), Python components (used for multi-stage XOR decryption).
- **Infrastructure (C2, domains, IPs):**
- C2 Server 1 (Data collection/Initial payload): `74.119.194[.]129:3000/j/marstech1`
- C2 Server 2 (Additional payload download): `74.119.194[.]129:3001`
- Exfiltration Endpoint: `74.119.194[.]129:3000/uploads`
## Implications
This campaign highlights Lazarus Group's continued and evolving interest in the cryptocurrency ecosystem, moving beyond traditional financial theft to target developers and the software supply chain. The focus on modifying browser extension settings for major wallets (MetaMask, Exodus, Atomic) represents a sophisticated credential/asset theft attempt. The use of advanced obfuscation suggests a dedicated effort to evade current detection mechanisms.
## Mitigations
- Implement strict validation and security scanning for all third-party and open-source dependencies, especially within cryptocurrency development projects.
- Monitor and restrict changes to browser extension configurations, particularly those associated with cryptocurrency wallets.
- Employ network filtering to prevent connections to known C2 infrastructure used by this actor.
- Continuously analyze code repositories (like GitHub) for suspicious commits or profiles publishing preparatory code, as seen with the "SuccessFriend" profile.