A new North Korean threat actor, Moonstone Sleet, leverages the public NPM registry to distribute malware via malicious packages by targeting the open-source software supply chain, exposing developers who unknowingly integrate these packages into their projects.
Moonstone Sleet’s emergence alongside existing actors like Jade Sleet highlights the persistent threat that state-sponsored actors pose to the integrity of the open-source ecosystem.
North Korean actors, particularly Jade Sleet, exploited the public npm registry to distribute malicious packages in late 2023. Early in 2024, malicious packages that were initially believed to be from Jade Sleet kept showing up, but further investigation revealed a new threat actor targeting the npm registry with methods similar to those of Jade Sleet.
A new North Korean cyberespionage group has emerged and utilizes tactics similar to those of other North Korean actors to target companies for financial gain and steal data, as their techniques include distributing malicious npm packages through both freelancing platforms and the public npm registry, significantly increasing their reach.
Interestingly, Moonstone Sleet’s code differs from an earlier group, Jade Sleet, which used paired packages to make detection harder and seems to be taking a more direct approach.
The second stage of the attack leverages a stolen token from a previously created file, and constructs a request to a predetermined URL, embedding the token as a parameter.
The response, potentially containing further malicious code, is then written to a new file on the compromised system, which is subsequently executed directly as a Node.js script, triggering the full payload.
Moonstone Sleet’s malicious packages, released in late 2023 and early 2024, adopted a single-package approach for immediate payload execution upon installation, while the encoded payload within string constants included OS-specific code, functioning only on Windows machines.
These packages showed minor variations in file names, URLs, and decryption keys but maintained a consistent overall structure and functionality, which suggests that the attackers relied on a proven technique with slight modifications to bypass detection.
The execution involved downloading a file from a remote server, decrypting it using a byte-wise XOR operation, renaming it, and executing it via rundll32. The malware was wiped out by deleting temporary files and replacing the malicious package. json with a clean version.
According to Checkmarx, Q2 2024 saw a rise in cyberattack complexity, where attack packages employed obfuscation techniques and expanded their target range to include Linux systems.
Upon Linux detection, the package would execute a specific code snippet, indicating a potential attempt to exploit vulnerabilities specific to that operating system.