Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure

T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.

T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.

T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.

T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.

T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.

T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.

Subject: Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure

Tactics: TA0011 Command and Control, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1543.001 Create or Modify System Process: Launch Agent, T1041 Exfiltration Over C2 Channel, T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1566.001 Phishing: Spearphishing Attachment, T1566.002 Phishing: Spearphishing Link

Procedure:

T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.

T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.

T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.

T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.

T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.

T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0009 When adversaries maintain drive-by sites and collect information about potential victims, they may reveal information about their targeting preferences by selecting or rejecting an arbitrary victim.

Engagement Opportunity:

Deploy a honeypot mimicking a software developer’s environment, complete with fake projects and credentials. Seed the honeypot with decoy code repositories containing instrumented versions of popular development tools (like npm) to capture attacker interactions and gather intelligence on TTPs.

Threat Actor: North Korean threat actors, tracked as Contagious Interview

Threat Objective:

Installation of a backdoor, remote access, theft of sensitive information (including cryptocurrency wallet data).

Deception Opportunity:

  • Create a decoy cryptocurrency wallet within the honeypot with a small amount of cryptocurrency to entice attackers.
  • Plant fake developer notes with references to high-value projects or sensitive API keys to misdirect and observe attacker behavior.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The attack chain leverages a combination of adversary-brought tools and pre-existing system tools. Observables range from unique malicious files to common system utilities used in a suspicious manner. Data can be collected from various sources to provide a comprehensive view of the attack.

  • Sensor Data Placement: Application, User-Mode, Network
  • Observable Level: Core to Adversary-Brought Tool (malicious NPM package, JavaScript files), Core to Pre-Existing Tool (npm, cURL), Core to Some Implementations of (Sub-)Technique (specific command-line arguments)

Link to Report: https://docs.google.com/document/d/1AEPI8u7OMPClTaKG8d1H-dSNnoVq6SvQs_I6pQsZ03E/edit?usp=drive_web

Link to Report II.:

Additional Comments:

The attackers demonstrate a targeted approach focused on software developers and utilize lures related to NFTs and cryptocurrency. This emphasizes the importance of user training, secure coding practices, and robust endpoint and network security controls.

Possible elements: Deceptive Beacons, Deceptive Document Watermarks, Deceptive Identity Provider (IdP) Responses

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: North Korean Threat Actor Attack Graph

: Initial Access (TA0001) - Phishing (T1566) - Phishing email or LinkedIn message with link to malicious GitHub repository (Core to Adversary-Brought Tool)[1]
: Initial Access (TA0001) - Exploit Public-Facing Application (T1190) - Malicious code hosted on public GitHub repository (Core to Adversary-Brought Tool)
: Execution (TA0002) - Command and Scripting Interpreter (T1059) - Install malicious NPM package via npm command line (Core to Pre-Existing Tool)
: Persistence (TA0003) - Create or Modify System Process (T1543) - Execute malicious JavaScript file 'test.js' (Core to Some Implementations of (Sub-)Technique)
: Command and Control (TA0011) - Application Layer Protocol (T1071) - Download additional payloads via cURL command (Core to Adversary-Brought Tool)
: Exfiltration (TA0010) - Exfiltration Over C2 Channel (T1041) - Exfiltrate data to C2 server (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness - EAV0001)
2 --> 3 (Lack of User Awareness - EAV0001, Lack of Secure Code Repositories - EAV0009)
3 --> 4 (Lack of System Monitoring)
4 --> 5 (Lack of Network Monitoring)
5 --> 6 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: North Korean Threat Actor Pseudocode

function Initial_Access_Phishing(target_email):
# Craft phishing email or LinkedIn message with link to malicious GitHub repository
# Send email or message to target_email
return malicious_repository_link

function Initial_Access_Exploit_Public-Facing_Application():
# Host malicious code on public GitHub repository
return malicious_repository_link

function Execution_Command_and_Scripting_Interpreter(malicious_repository_link):
# Download and install malicious NPM package from malicious_repository_link
return malicious_npm_package

function Persistence_Create_or_Modify_System_Process(malicious_npm_package):
# Execute malicious JavaScript file 'test.js' from malicious_npm_package
return cURL_command

function Command_and_Control_Application_Layer_Protocol(cURL_command):
# Execute cURL_command to download additional payloads from C2 server
return exfiltration_module

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltration_module):
# Execute exfiltration_module to exfiltrate data to C2 server
return success

Leave a Reply