North Korea Stealing Cryptocurrency With JavaScript Implant

New North Korean malware is targeting cryptowallets with an unconventional command-and-control infrastructure and through malware embedded into a GitHub repository that’s apparently the account of a Pyongyang hacker.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

The totalitarian North Korean regime has long used cryptocurrency theft as a means of infusing its economically-blockaded country with hard currency and funding the development of weapons of mass destruction. The United States and South Korea in January attributed nearly $660 million worth of cryptocurrency theft to Pyongyang hackers.

Security researchers at Security Scorecard uncovered Thursday a JavaScript implant named “Marstech1” they say is meant to compromise software developers and cryptocurrency wallets through manipulated open-source repositories. Marstech1 targets Exodus and Atomic Crypto currency wallets on Linux, MacOS and Windows.

The implant appears to have emerged late last December. Security Scorecard researchers traced it to a GitHub account belonging to “SuccessFriend,” which the company “suspects to be the Lazarus threat actor’s GitHub profile.” The U.S. government says North Korean hacking unit Lazarus Group is a part of the Reconnaissance General Bureau – but the name in some contexts has become a catch-all term for North Korean hacking activity.

SuccessFriend has been active since July 2024 and has contributed legitimate code to a number of projects. Any developer who clones and runs a SuccessFriend repository will get malware along with it – possibly Marstech1 or possibly another implant named mc_cur.py, which targets MetaMask cryptocurrency wallet browser extension.

Researchers additionally found Marstech1 deployed by a command-and-control server operating on infrastructure controlled by “Stark Industries Solutions,” an internet hosting firm that appeared just before the February 2022 Russian invasion of Ukraine. The host “quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe,” independent reporter Brian Krebs reported in May 2024.

The server setup is markedly different from other North Korean command and control setups observed by Security Scorecard. Among the novel elements: the Marstech1 server operates on port 3000, as opposed to other Pyongyang servers operating on ports 1224 and 1245. Other North Korean infrastructure has used the React web admin panel, while the Marstech1 server doesn’t – although “it clearly runs Node.js Express on the backend.”

The coder behind Marstech1 was apparently aware that security researchers would find it and introduced several obfuscation techniques. Among them are one-time wrappers that allow critical functions to run only once, preventing analysts from repeatedly invoking those functions for automated analysis. Code also obscured debugging ouput and intefers with logging.
“The use of advanced anti-debugging measures and self-modifying code further exacerbates the challenge of realtime threat analysis, emphasizing the need for heightened vigilance and robust security framework in supply chain management,” Security Scorecard said.