Full Report
SecurityScorecard identified a new campaign in which the North Korean Lazarus group aims to steal source code, secrets and cryptocurrency wallet keys from developer environments
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Identification:** Notorious North Korea state-sponsored threat actor.
* **Known Aliases and Associated Groups:** Lazarus group.
* **Association:** Believed to conduct operations to generate revenue for the Democratic People's Republic of Korea (DPRK) regime.
## Activity Summary
* **Campaign Name:** Operation 99.
* **Timeline:** Identified on January 9th.
* **Operational Goal:** Steal sensitive data from software developer environments, including source code, secrets, configuration files, and cryptocurrency wallet keys.
* **Evolution/Focus:** Marks a strategic evolution from broad phishing to targeted attacks on developers within the technology supply chain.
* **Methodology:** Posing as recruiters on platforms like LinkedIn offering freelance cryptocurrency coding projects. Victims are directed to clone a malicious GitHub repository ("coin promoting Webapp").
## Tactics, Techniques & Procedures
* **Initial Access:** Social engineering (posing as recruiters) combined with malicious third-party code execution (cloning a malicious GitHub repository).
* **Command and Control (C2):** Use of heavily obfuscated Python scripts, often compressed with ZLIB, delivered via compromised infrastructure.
* **Evasion:** Malware employs enhanced obfuscation and adaptability. C2 infrastructure dynamically tailors malware for specific victim operating systems (Windows, macOS, Linux).
* **Persistence/Execution:** Multi-stage, modular malware framework deployed post-initial code execution.
* **Data Theft:** Keylogging, clipboard monitoring, browser credential theft, and file exfiltration from developer workstations.
* **MITRE ATT&CK IDs:** (Not explicitly provided in the text, but activities align with T1566.001 - Phishing: Spearphishing Attachment/Link, T1083 - File and Directory Discovery, T1056 - Input Capture, T1041 - Exfiltration Over C2 Channel).
## Targeting
* **Sectors:** Technology/Software Development (supply chain compromise focus).
* **Geography:** Global reach (victims identified across the globe).
* **Victims:** Software developers, especially those seeking freelance work in the cryptocurrency sectors.
## Tools & Infrastructure
* **Malware Families Used (Modular System):**
* **Main99:** Downloader retrieving additional payloads from C2.
* **Payload99/73:** Implants for keylogging, clipboard monitoring, and file exfiltration.
* **Brow99/73:** Implant designed to steal browser credentials (e.g., from keychain).
* **MCLIP:** Dedicated implant for keyboard and clipboard monitoring.
* **Infrastructure:**
* **C2 Provider:** Stark Industries Solutions Ltd. (IP address of this provider hosts the malicious Apache server).
* **Code Repository:** Malicious GitHub repository named "coin promoting Webapp."
## Implications
The campaign represents a significant supply chain threat by compromising the creators of technology. Compromising a developer indirectly jeopardizes all projects and enterprises they support, making it an extremely efficient method of wide-scale compromise. The use of modular, platform-agnostic malware demonstrates an upgrade in the group's operational sophistication.
## Mitigations
* Deploy enhanced code repository verification, specifically scrutinizing Git repositories before cloning.
* Use advanced endpoint security solutions to detect unusual process activity or file modifications.
* Verify recruiters and job offers rigorously, especially on professional platforms like LinkedIn.
* Equip developers with training to identify red flags associated with suspicious emails, repositories, and LinkedIn communication.