Researchers from SecurityScorecard have discovered that the North Korean hacking group Lazarus is using previously unknown JavaScript malware called Marstech1 in targeted attacks on developers.
This malicious campaign has been dubbed Marstech Mayhem. The researchers say that the malware was traced to a public GitHub repository associated with the SuccessFriend profile. This account has been active since July 2024, but has now been blocked.
The new malware is designed to collect system information and can be embedded in websites or npm packages, which creates the risk of supply chain attacks. Its main task is to search through the catalogs of Chromium browsers and change the settings of extensions, in particular, those related to the MetaMask, Exodus and Atomic cryptocurrency wallets on Windows, Linux and macOS. The malware is also capable of downloading additional payloads from its command and control server.
According to experts, Marstech1 activity was first noticed at the end of December 2024, and at least 233 people from the United States, Europe, and Asia became its victims.
[td]"SuccessFriend's profile mentioned web development and blockchain skills, which are consistent with Lazarus' interests. The attacker committed obfuscated and pre-obfuscated payloads to various GitHub repositories," SecurityScorecard experts wrote.[/td]In addition, malicious JavaScript was embedded in npm packages associated with various cryptocurrency projects. Unfortunately, it is not reported what these packages were, how popular they were, or how easy they were to find.
The researchers note that the malware uses several layers of obfuscation that have not previously been seen in Lazarus. This allows Marstech1 to remain undetected when embedded in software packages. Thus, the following techniques were identified during the analysis:
control flow modification and self-invocation of functions;
random names of variables and functions;
Base64 string encoding;
anti-debugging (protection against tampering);
splitting and subsequent assembly of strings.
At the same time, the version of the malware available in the GitHub repository differed from the version that was downloaded directly from the control server at 74.119.194[.]129:3000/j/marstech1. That is, it is likely that the malware is still in the development stage.
This malicious campaign has been dubbed Marstech Mayhem. The researchers say that the malware was traced to a public GitHub repository associated with the SuccessFriend profile. This account has been active since July 2024, but has now been blocked.
The new malware is designed to collect system information and can be embedded in websites or npm packages, which creates the risk of supply chain attacks. Its main task is to search through the catalogs of Chromium browsers and change the settings of extensions, in particular, those related to the MetaMask, Exodus and Atomic cryptocurrency wallets on Windows, Linux and macOS. The malware is also capable of downloading additional payloads from its command and control server.
According to experts, Marstech1 activity was first noticed at the end of December 2024, and at least 233 people from the United States, Europe, and Asia became its victims.
The researchers note that the malware uses several layers of obfuscation that have not previously been seen in Lazarus. This allows Marstech1 to remain undetected when embedded in software packages. Thus, the following techniques were identified during the analysis:
control flow modification and self-invocation of functions;
random names of variables and functions;
Base64 string encoding;
anti-debugging (protection against tampering);
splitting and subsequent assembly of strings.
At the same time, the version of the malware available in the GitHub repository differed from the version that was downloaded directly from the control server at 74.119.194[.]129:3000/j/marstech1. That is, it is likely that the malware is still in the development stage.