Photo credit: www.techradar.com
Lazarus Group Seen Poisoning Open Source Software with InfostealersThe Campaign, Dubbed Phantom Circuit, Primarily Targets European Software DevelopersNumerous Repositories Discovered Contaminated with Malware
The infamous North Korean hacking collective known as Lazarus has been actively targeting software developers, with a particular focus on those involved in the Web3 space. This new wave of attacks utilizes infostealing malware designed to capture sensitive information, including user credentials and authentication tokens, cybersecurity experts have reported.
A report by SecurityScorecard reveals extensive details about this operation, highlighting its reliance on software supply-chain attacks and the deliberate poisoning of open-source software.
The Lazarus Group has been observed manipulating various open-source tools by injecting them with harmful code before redistributing the tainted versions back to platforms like GitLab. These malicious alterations pose a serious risk as unsuspecting developers may inadvertently use the compromised tools in their projects.
Focus on Web3 Developers
The operation, referred to as Phantom Circuit, is believed to have affected over 1,500 individuals, the majority of whom are located in Europe, although there are also significant numbers from India and Brazil.
Among the compromised tools identified were Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and various other applications connected to cryptocurrency, authentication packages, and Web3 technologies, according to Ryan Sherstobitoff, the senior vice president of research and threat intelligence at SecurityScorecard.
The researchers did not clarify whether the Lazarus Group employed recognized infostealer malware in this campaign or if they developed new malicious code for this specific operation. Historically, the group has utilized an array of tools in their cyberattacks.
Lazarus has a notorious history of targeting companies within the cryptocurrency sector. Some security analysts suggest that these operations may be part of a broader strategy to finance the North Korean regime’s initiatives, including its military programs. The group is also well-known for its deceptive recruitment effort dubbed Operation DreamJob, which lures Web3 software developers with enticing job offers that ultimately lead to cyberattacks.
During the application process, candidates may inadvertently download malicious software disguised as legitimate tools, enabling Lazarus to capture not only the candidates’ tokens but also those belonging to the companies in question. In a notable incident, this strategy purportedly resulted in a theft of approximately $600 million.
You Might Also Like
Source
www.techradar.com