North Koreans Clone Open Source Projects to Plant Backdoors, Steal Credentials
Summary:
According to Security Scorecard STRIKE researchers, North Korea-nexus Lazarus Group has compromised hundreds of victims in multiple countries in a large-scale data harvesting supply chain attack campaign which is ongoing as of mid-January 2025. Multiple C2 servers linked to Lazarus Group active since September 2024 were discovered by SecurityScorecard while investigating Lazarus’ fake job offer scam Operation 99. Further analysis of their C2 infrastructure revealed that these servers were reused in a new campaign dubbed Phantom Circuit to deliver obfuscated backdoors and exfiltrate stolen data from organizations by targeting their developers.
In this campaign, Lazarus was observed forking legitimate software repositories and open-source tools including Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and other cryptocurrency-related apps, authentication packages, and web3 technologies to lace them with obfuscated backdoors. According to researchers, this supply chain attack campaign was conducted in multiple waves that they have separated into November, December, and January campaigns. Targeted operations from Lazarus were conducted on the operational infrastructure analyzed in this report from September 2024 to January 2025. Lazarus developed a sophisticated react application and API as an administrative platform to manage exfiltrated data and the delivery of payloads which they deployed on every C2 server and managed over Port 1245. Following exfiltration to Lazarus C2 servers, the exfiltrated data is transferred to Dropbox. SecurityScorecard researchers uncovered additional Lazarus operational infrastructure when investigating Operation99 and Phantom Circuit and some of it remains active as of January 29, 2025. The most notable part of this infrastructure uncovered by SecurityScorecard is an intermediate network of proxies. The stolen data flows through Astrill VPN endpoints and one of the proxies registered in Hasan, Russia before finally reaching its destination.
Security Officer Comments:
By conducting Operation Phantom Circuit, North Korea has exposed a sophisticated widespread campaign propagated on a complex operational infrastructure whose operators have created to mask their activity. These latest DPRK operations underscore the urgent need for defenders to strengthen their supply chain security, and thereby their organization’s security posture to avoid being victimized by similar campaigns.
Suggested Corrections:
https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/
White paper: https://securityscorecard.com/wp-co...peration-Phantom-Circuit-Report_012725_03.pdf
According to Security Scorecard STRIKE researchers, North Korea-nexus Lazarus Group has compromised hundreds of victims in multiple countries in a large-scale data harvesting supply chain attack campaign which is ongoing as of mid-January 2025. Multiple C2 servers linked to Lazarus Group active since September 2024 were discovered by SecurityScorecard while investigating Lazarus’ fake job offer scam Operation 99. Further analysis of their C2 infrastructure revealed that these servers were reused in a new campaign dubbed Phantom Circuit to deliver obfuscated backdoors and exfiltrate stolen data from organizations by targeting their developers.
In this campaign, Lazarus was observed forking legitimate software repositories and open-source tools including Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and other cryptocurrency-related apps, authentication packages, and web3 technologies to lace them with obfuscated backdoors. According to researchers, this supply chain attack campaign was conducted in multiple waves that they have separated into November, December, and January campaigns. Targeted operations from Lazarus were conducted on the operational infrastructure analyzed in this report from September 2024 to January 2025. Lazarus developed a sophisticated react application and API as an administrative platform to manage exfiltrated data and the delivery of payloads which they deployed on every C2 server and managed over Port 1245. Following exfiltration to Lazarus C2 servers, the exfiltrated data is transferred to Dropbox. SecurityScorecard researchers uncovered additional Lazarus operational infrastructure when investigating Operation99 and Phantom Circuit and some of it remains active as of January 29, 2025. The most notable part of this infrastructure uncovered by SecurityScorecard is an intermediate network of proxies. The stolen data flows through Astrill VPN endpoints and one of the proxies registered in Hasan, Russia before finally reaching its destination.
Security Officer Comments:
By conducting Operation Phantom Circuit, North Korea has exposed a sophisticated widespread campaign propagated on a complex operational infrastructure whose operators have created to mask their activity. These latest DPRK operations underscore the urgent need for defenders to strengthen their supply chain security, and thereby their organization’s security posture to avoid being victimized by similar campaigns.
Suggested Corrections:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/
White paper: https://securityscorecard.com/wp-co...peration-Phantom-Circuit-Report_012725_03.pdf