Lazarus exploits typos to peddle malware

Lazarus, the infamous North Korean state-sponsored hacker group, attempted to distribute malware-infected Python packages, banking on common typos that developers make.

The attackers uploaded four malware-infected packages to the Python Package Index (PyPI), the official repository for the Python programming language.

The malicious packages, named pycryptoenv, pycryptoconf, quasarlib, and swapmempool, are similar to legitimate Python package names, such as pycrypto, which is used for encryption algorithms in Python.

“Therefore, the attacker probably prepared the malware-containing malicious packages to target users’ typos in installing Python packages,” researchers at Japan’s Computer Security Incident Response Team (JPCERT) said.

The malicious packages were downloaded several thousand times, meaning that multiple development projects could be infected with Lazarus-made malware.

JPCERT noted it’s not the first time Lazarus has employed packages to target developers. In November 2023, researchers at Phylum reported Lazarus infecting crypto-themed npm modules to deliver Comebacker malware.

“When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages,” JPCERT said.

The North Korean regime backs cybercrime. North Korea allegedly has around 6,000 hackers who operate in over 150 countries. 10% of North Korea’s GDP comes from cybercrime – specifically, fraud, theft, and ransomware.

In 2019, the UN Security Council report stated that since 2016, North Korea has been increasingly relying on hacking to generate income for the country's treasury. It is believed that most of the proceeds from these criminal activities are likely allocated to the national defense budget – to fund nuclear and missile testing.

As the government completely controls internet access, North Korea’s cryptocurrency industry is mainly crime-related and backed by the state. As per a report from South Korea's primary intelligence agency, hackers affiliated with the North Korean government have stolen $1.2 billion worth of cryptocurrency.