A malicious campaign targeting MacOS, Linux, and Windows systems has been attributed to the North Korean threat group Lazarus. Cybersecurity researchers at ReversingLabs made the disclosure after tracking VMConnect for about a month.
ReversingLabs first spotted the VMConnect campaign in early August. Cybersecurity researcher and blogger Karlo Zanki described it as consisting of two dozen “malicious Python packages” posted on the openly accessible PyPI software repository.
After keeping beady eyes on PyPI for a few weeks, ReversingLabs reckons it has detected three more packages — tableditor, request-plus, and requestspro — that belong to the VMConnect family.
“An analysis of the malicious packages used and their decrypted payloads reveals links to previous campaigns attributed to Labyrinth Chollima, an offshoot of Lazarus Group, a North Korean state-sponsored threat group,” it said.
Further investigation tied the package to another described in a report published in July by Japan’s computer emergency response team JPCERT.
“The JPCERT report describes discovering malware samples targeting Windows, macOS, and Linux environments,” said ReversingLabs.
While it adds that it was “unable to definitively attribute this campaign to any specific threat actor” it cites findings by another cybersecurity researcher, Mauro Eldritch, which he shared with analysis firm CrowdStrike.
“Analysts at CrowdStrike attributed the malware to Labyrinth Chollima, a subgroup within the Lazarus Group, a North Korean state-sponsored threat group, with a high degree of confidence,” said ReversingLabs. “A similar attribution was made by the JPCERT, which linked the attack it uncovered to DangerousPassword, another subsidiary of the Lazarus Group.”
Trail leads back to Pyongyang
Based on this information, ReversingLabs concludes that the same threat actor was behind both attacks “and, therefore, that the VMConnect malicious campaign activity can be linked to the North Korean state-sponsored Lazarus Group.”
“As with prior software supply chain campaigns, including IconBurst, SentinelSneak, and others, the malicious actors behind VMConnect took steps to disguise their malicious payloads and make their published packages look trustworthy, despite the existence of malicious functionality,” it added.
Such efforts included typosquatting — a technique used by threat actors to prey on computer users who mistakenly type the wrong domain name of a legitimate entity into their browsers while searching the internet — on popular open-source packages and appropriating their official descriptions and other metadata to confuse developers.
“The revelations about the ongoing VMConnect campaign are a reminder that organizations need to improve their cyber defensive capabilities to encompass the full range of possible threats and attacks — including software supply-chain attacks,” said ReversingLabs. “That requires firms to invest both the effort and resources needed to detect and prevent supply-chain attacks before they cause material damage to their business.”
As such, ReversingLabs urges organizations to invest in training and raising awareness, as well as tools to detect the presence of any “suspicious or malicious indicators” in open-source or proprietary code they might choose to access.
More from Cybernews:
Subscribe to our newsletter