Two weeks after the IT management firm JumpCloud announced that it was the victim of a supply chain attack aimed at a small population of customers in the cryptocurrency industry, an investigation by ReversingLabs researchers has uncovered evidence of more malicious npm packages, with links to the same infrastructure that also appear to target cryptocurrency providers.
Specifically, ReversingLabs identified a number of additional npm packages with links to the same malicious campaign. One, named btc-api-node, was uploaded to npm on July 11th and has links to a supply chain attack first identified by the firm Phylum on June 23, and that was cited as a possible precursor to the JumpCloud attack, ReversingLabs Reverse Engineer Karlo Zanki said. Phylum has since published an additional blog post that called out the btc-api-node package and others.
All the packages in question were removed from npm soon after being posted — possibly by the threat actor. That could be an effort to reduce the likelihood of detection after succeeding in getting their malicious npm packages integrated into target applications and environments.
Here's what ReversingLabs researchers have found in the wake of the JumpCloud supply chain attack.
Links to recent npm campaigns
The btc-api-node package communicates with the domain npmaudit [dot] com, Zanki reports. That domain was also identified as part of the command and control infrastructure behind malicious packages used in the JumpCloud attack and named in a July 18 alert from GitHub, which warned of a “low-volume social engineering campaign” that targeted the personal accounts of employees of tech firms. Malicious domains named as indicators of compromise (IOCs) by GitHub include both the npmaudit [dot] com domain and domains specifically called out by Phylum in its June alert.
”Based on the packages from the Phylum blog, Github advisory and additional packages we found, we conclude that the attack is still ongoing."
—Karlo Zanki
As with the recent Operation Brainleeches npm compromise, the supply chain attacks in question appear to mix both high-touch and low-touch campaigns. With some packages, the attackers made minimal efforts to make the malicious packages look convincing to developers. However, in other cases more efforts were made by the attackers to make the malicious packages look convincing to would-be developers. That included modifying package metadata and adding legitimate npm user accounts as authors of the packages, Zanki said.
The btc-api-node npm package was removed prior to this posting. However, ReversingLabs researchers' analysis of the package while it was still accessible indicates that it closely resembled a legitimate npm module, bitfinex-api-node, which is described as a Node.JS reference implementation of the Bitfinex API. That API is used to interact with the Bitfinex cryptocurrency exchange.
When executed, the btc-api-node package starts index.js via a postinstall script. The index.js file contains values that are B64 encoded. The package sets environmental variables on the system running it to ignore verifying SSL/TLS certificates. As Phylum points out in their analysis, that could be an effort to enable HTTP requests within corporate environments that use proxies or have installed their own root certificates.
The package also creates a folder on the system running the package and then downloads a file from hxxps://npmaudit.com/api/v4/init, and writes it into the same directory. With the package we observed, the folder was named .electron, though the directory and subdirectory names vary by package. (A list of them is provided by Phylum in their analysis.) The file acts as a token on the compromised system, with its presence on the system signaling that it is open to receiving the stage 2 malware without risk of detection.
RU kidding? Malicious npm packages escaped notice
ReversingLabs also detected a number of additional, malicious npm packages that were not named in the write-ups from JumpCloud, GitHub or Phylum. These packages have since been removed from npm. They include:
- kraken-prices v. 0.13.3, posted July 6 and associated with the accounts “Mikko Ohtamaa” and “sefiyorokauot”
- kucoin-prices v. 3.1.7, posted July 6 and associated with the accounts “coingecko B.V.” and “trowacbirolynnqh”
- eth-api-node v. ???, posted July 17. There is no data on the source of the package, which was also mentioned in the GitHub advisory.
Also, by searching on package metadata, ReversingLabs researchers were able to identify more packages associated with suspicious npm user accounts registered with a mail.ru domain — many of them created and used recently. Some of these npm packages even predate the packages identified in the Phylum blog, moving back the start date for this campaign. They include:
- xml-fast-decoder v. 0.0.1 -0.1.5, posted July 4 and associated with the account “timur.polatkin”.
- next2ejs v. 1.3.2, posted May 17 and associated with the account “ambrosimova”.
- vue2ejs v. 1.3.3, posted May 17 and associated with the account “ambrosimova”.
Links to North Korean APT?
Crowdstrike, SentinelOne and others attributed the attack to state-sponsored actors working on behalf of the government of North Korea. While the data collected by ReversingLabs is inconclusive, a growing body of evidence points to North Korea.
First, the fact that the malicious npm packages are related to cryptocurrency applications and platforms points a finger in the direction of the DPRK. As CISA noted in a 2021 advisory, the North Korean APT known as Lazarus Group has targeted individuals and companies associated with the cryptocurrency industry — part of what many believe is an effort by the North Korean government to increase its liquidity in the face of Western trade sanctions.
Targets have included cryptocurrency exchanges and financial service companies. Those attacks include supply chain attacks involving the dissemination of cryptocurrency trading applications modified to include malware that facilitates theft of cryptocurrency.
More recently, Mandiant reported that it observed direct connections from malicious infrastructure used in the attack back to servers in Pyongyang, the North Korean capital, due to the failure of a VPN connection used by the attackers. The company said that it has also observed North Korean state-sponsored hacking groups gaining access to victim networks through JumpCloud.
That said, the large number of accounts registered to emails at mail.ru would tend to point in a different direction. That could be a purposeful misdirection on the part of the North Korean APT groups. It may also be evidence of cooperation between North Korean and Russian actors. A more thorough examination of the malicious npm packages in question is needed to try to associate the attacks with different geographies.
How to respond to the threat
According to the JumpCloud analysis, the scope of the supply chain attack on that organization was limited to a small handful of accounts associated with the cryptocurrency industry — just five accounts, by JumpCloud’s account.
However, the larger number of malicious packages and the extended timeline for the attack — dating back to May — suggest that other organizations may have been targeted, while the malicious actors behind the attacks took steps to minimize their exposure, including quickly removing the offending packages from npm.
If your organization is concerned about exposure to this attack, you can leverage a YARA rule that searches for a telltale environment variable, "Tk9ERV9UTFNfUkVKRUNUX1VOQVVUSE9SSVpFRA==", to help identify systems compromised in this attack.
