North Korea-linked Lazarus Group on the Prowl Again

The Lazarus Group, associated with North Korea, is targeting the JavaScript ecosystem with a new batch of malware that steals digital assets.

Lazarus Targets the JavaScript Ecosystem

According to code security platform Socket, Lazarus has revamped its attacks on the digital asset sector. They have deployed six malicious packages targeting the Node Packaging Manager (npm), which is widely used for installing and managing JavaScript packages. The malware is designed to steal digital asset data and other credentials while deploying a backdoor for future exploits.

By last week, the six packages had been downloaded 330 times. Designed to mimic trusted libraries, Lazarus employs a typosquatting tactic to enhance their credibility. They also maintain GitHub repositories for five of the six malicious packages, making their legitimacy appear stronger. Socket has petitioned GitHub for the removal of these packages.

Although Socket admits it’s hard to definitively attribute the malware to Lazarus, it acknowledges that it bears the hallmarks of the group’s tactics and tech. This includes similar obfuscation techniques and data theft methods found in previous Lazarus attacks, such as extracting sensitive files from browser profiles and digital asset wallets.

Lazarus has a history of infiltrating networks and stealing from digital wallets, including a recent high-profile heist that involved a $1.4 billion hack of Bybit, the largest in the digital asset realm.

Cryptojackers Blackmailing YouTubers

In a separate report, Kaspersky uncovered that cybercriminals are blackmailing YouTubers into including cryptojacking malware in their video descriptions. These criminals disguise malware as tools to bypass geo-restrictions, which have become prevalent in regions with strict internet controls.

Over the past six months, Kaspersky discovered more than 2.4 million drivers related to these bypassing tools. The attackers often require users to disable their PCs’ security measures, allowing malware installation without detection. The targets are generally YouTubers, as these criminals aim for wider exposure.

Kaspersky provided an example of a YouTuber with 60,000 subscribers who was pressured to include a link to malware resources following a false copyright infringement claim against his videos. Another YouTuber with 340,000 subscribers faced a similar situation.

The cryptojacking malware, based on XMRig, can illegally mine assets like Ether and Monero while evading detection. Despite a decline in cryptojacking incidences, criminals are still targeting a multitude of devices, even infiltrating federal agency machines.

Watch: Cybersecurity fundamentals in today’s digital age with AI & Web3