Using a multi-level upload method, hackers carefully hide their activity.
Chinese information security company QiAnXin has discovered a new campaign called Lazarus grouping, which uses npm packages to attack the supply chain using a multi-level upload method to hide traces of the attack.
Based on the code characteristics of the download samples and other related samples, the researchers linked them to samples from previous Lazarus attacks, given that Lazarus often uses supply chain attacks.
The multi-level method for downloading malware includes the following steps:
Using a multi-level download method allows attackers to hide traces of the attack from antivirus software. If the antivirus software detects the first PE file, it can block its download. However, if the antivirus software does not detect the first PE file, it will not be able to detect the second PE file, which is more dangerous.
The samples also use obfuscation techniques to communicate with the C2 server to avoid detection and analysis, in particular RSA encryption. Another method of obfuscation is to use compression techniques using the gzip algorithm. This makes it difficult to analyze the link content.
Subsequent loads and downloads are Trojans that can steal confidential information (credentials, financial and personal information) and execute remote commands (including installing other malicious programs, monitoring user activity, and seizing control of the victim's computer).
Based on the multi-level loading method and communication characteristics with the C2 server, attackers are probably trying to hide the traces of the attack and reduce the risk of detecting subsequent loads. Given the link to Lazarus, attackers are likely to use this opportunity to launch further attacks.
Chinese information security company QiAnXin has discovered a new campaign called Lazarus grouping, which uses npm packages to attack the supply chain using a multi-level upload method to hide traces of the attack.
Based on the code characteristics of the download samples and other related samples, the researchers linked them to samples from previous Lazarus attacks, given that Lazarus often uses supply chain attacks.
The multi-level method for downloading malware includes the following steps:
- Loading and decrypting the embedded PE file, which contains the code for the second stage of loading. Decryption is usually performed using XOR encryption.
- Download and execute the second PE file, which contains the code to establish communication with the C2 server and deliver the subsequent payload.
Using a multi-level download method allows attackers to hide traces of the attack from antivirus software. If the antivirus software detects the first PE file, it can block its download. However, if the antivirus software does not detect the first PE file, it will not be able to detect the second PE file, which is more dangerous.
The samples also use obfuscation techniques to communicate with the C2 server to avoid detection and analysis, in particular RSA encryption. Another method of obfuscation is to use compression techniques using the gzip algorithm. This makes it difficult to analyze the link content.
Subsequent loads and downloads are Trojans that can steal confidential information (credentials, financial and personal information) and execute remote commands (including installing other malicious programs, monitoring user activity, and seizing control of the victim's computer).
Based on the multi-level loading method and communication characteristics with the C2 server, attackers are probably trying to hide the traces of the attack and reduce the risk of detecting subsequent loads. Given the link to Lazarus, attackers are likely to use this opportunity to launch further attacks.
