North Korea’s Post-Infection Python Payloads
Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail.
A few good sources that showcase the progression of the security community’s understanding of this attack workflow include: – Phlyum, which has been tracking this threat since last year – Palo Alto’s Unit 42, which provided additional information in November 2023 – A Medium post detailing a similar attack to the ones described above and in this blog post Interestingly, it appears that the threat actors may have either moved to – or begun using in parallel – a series of Python scripts for this attack instead of solely delivering malicious DLLs (as observed by Phylum researchers in their original reports). This may be due to the added flexibility and speed of Python scripting, or it may simply be a result of the threat actors attempting to make their delivered tools and files appear more legitimate to users and investigators.
Technical Information This post focuses on the inner workings of a Python workflow described in the aforementioned Palo Alto and Phylum reports. The files analyzed are below, with hashes corresponding to versions found on VirusTotal where possible. – Name: Frontend.zip – Notes: Malicious node package uploaded to VirusTotal from a user in Bangladesh on 3/28. – SHA256: 8b2f2fad1d1f1e6ad915ea2224dd9f8544edf4aaf910ab9b3a3112cc5806f16d – Name: main_[campaign ID].py or “.npl” – Notes: Obtained by malicious code in Frontend.zip. Obtains and executes next two stages. – Name: brow_[campaign ID].py or “bow” – Notes: Browser stealing module. An example was uploaded to VirusTotal via email on 3/28. – SHA256: 72400a957654371be9363fdd2753ffea8f240a8b3e6e03edc116f8da96fa3ce4 – Name: pay_[campaign ID].py or “pay” – Notes: Contains bulk of backdoor actions. This example was uploaded to VirusTotal on 3/26. – SHA256: ba47df4e0cccdff1c6e81b7a9e347ac094efc8c94caab3f53ed0bd32d0293bf0 – Name: any_[campaign ID] or “adc” – Notes: Python script obtained by “pay” that downloads and installs an AnyDesk client
