North Korean hackers flooded the Internet with clones of open software into which Bacdors introduced

The Lazarus hacker group, which is associated with the DPRK authorities, conducted a large -scale operation of Phantom Circuit – they compromised hundreds of systems around the world with the aim of theft of secret information. For this, the attackers cloned the legitimate software with open code and introduced backdors in it in the hope that developers and other potential victims, mainly working in the cryptocurrency industry, will accidentally use them and make their cars vulnerable. Malicious projects spread through large platforms, including Gitlab.

Image source: altumcode / unsplash.com

The scheme was discovered by experts in the field of cybersecurity from SecurityScoreCard. Last November, 181 developer became the victims of hackers mainly from the European technological sector. In December, their number increased to 1225 people, including 284 from India and 21 from Brazil. In January, 233 victims were added to their number, including 110 from the technological sector of India. Cybercriminals managed to kidnap the accounts of their victims, authentication tokens, passwords and other confidential information.

The repositories cloned and altered by hackers included such projects as Codementor, Coinproperty, Web3 E-Store, Python-based password manager, as well as other applications related to cryptocurrency and Web3, told SecurityScoreCard. When the victim unconsciously loaded and installed such an appendix, a backdor was also installed on his car, allowing attackers to connect to it, abduct confidential data and send them to their resources. The control (C2) Lazarus Group servers participating in the Phantom Circuit scheme, as it turned out, began work back in September – they were used to communicate with infected systems, delivery of harmful software and copying stolen data. The experts could not find out “how the extracted data were processed, and what infrastructure was used to manage these servers.”

Experts discovered a hidden administrative system located on each server – it provided a centralized attack control; The system was written based on React and Node.js. To hide the origin of the campaign, Lazarus Group hackers used multilayer obstruction. To hide the geographical origin, VPN was used, and at the proxy-level harmful activity was mixed with harmless network traffic. The servers were located in the Stark Industries infrastructure – Securityscorecard experts found that they were connected to at least six North Korean addresses, one of which was previously associated with Lazarus attacks on the Codementor platform. The stolen data was unloaded into the Dropbox cloud storage.