Tag: crypto

SecurityScorecard has released a report describing how they uncovered evidence of an attack by North Korea’s Lazarus Group against developers. The attack uses sophisticated anti-detection techniques to deliver its new implant Marstech1, designed to steal cryptocurrency wallets.

Marstech1, a JavaScript implant, is being served by Lazarus’s Command & Control (C2) server, and a similar implant was also added to several open source GitHub repositories.

This malware targets the directories used by Exodus and Atomic Crypto wallets. It can copy the data, package it, and send it to the C2 server.

What makes Marstech1 unique, though, is the extent to which its authors have gone to obfuscate the code to avoid detection. From the report:

The Marstech implants utilize different obfuscation techniques than previously seen. The JS implant that was
observed utilizes;

• Control flow flattening & self-invoking functions
• Random variable and function names
• Base64 string encoding
• Anti-debugging (anti-tamporing [sic] checks)
• Splitting and recombining strings

This ensures that if the threat actor embedded the JS into a software project it would go unnoticed.

There’s a full explanation in the report, so if you’re interested I highly recommend it. Suffice it to say that security researchers have their work cut out for them right now.