In a move that underscores the increasing sophistication and cunning of cybercriminals, North Korea’s infamous Lazarus Group has orchestrated a large-scale supply chain attack. This cyber-espionage campaign, dubbed Phantom Circuit, involved cloning legitimate open-source projects and injecting them with malicious backdoors, primarily targeting the cryptocurrency industry. The compromised projects, primarily distributed via platforms like Gitlab, were specifically aimed at developers who would unwittingly integrate the malware-laced cloned software into their systems.
Unmasking the Phantom Circuit Campaign
Compromised Projects and Initial Targets
During the investigation, SecurityScorecard researchers uncovered that the Lazarus Group cloned several reputable open-source projects, including Codementor, CoinProperty, and Web3 E-Store. These cloned projects contained hidden, JavaScript-obfuscated backdoors, enabling the group to install malware on the users’ systems once they integrated the compromised software packages. This strategic move allowed them to exfiltrate crucial data such as credentials, tokens, and passwords.
The campaign initially targeted 181 developers in Europe in November, aiming to infiltrate organizations’ systems through their development departments. The attack exponentially expanded by December, affecting over 1,225 victims worldwide, with significant impacts in India and Brazil. By January 2024, the campaign had compromised another 233 victims predominantly within India’s burgeoning tech sector. This methodical targeting showcases the Lazarus Group’s commitment to persistence and their historical propensity for aiming at strategic and economically significant sectors.
Evolving Tactics and Malware Delivery
A notable shift in the Lazarus Group’s tactics was observed throughout this campaign. Moving away from direct attacks, they embedded malware into copies of legitimate software to facilitate extensive and sustained access while evading detection. This evolution in their approach meant that once the compromised software was in use, the dormant backdoor would grant them ongoing access to the victim’s systems.
SecurityScorecard’s investigation into Operation 99, a related fake job offer scam earlier in the year, unveiled connections leading to the Phantom Circuit’s command-and-control (C2) infrastructure. These C2 servers, active since September 2024, managed the delivery of malicious payloads and the exfiltration of stolen data. The Lazarus Group utilized a centralized administrative platform leveraging a React application and JavaScript API to streamline their ill-intended activities. Remarkably, these multifaceted strategies facilitated a wide impact, underscoring the group’s adaptability and formidable technical prowess.
Cloaking Activities and Hidden Infrastructure
Concealing Malicious Operations
The Lazarus Group employed advanced obfuscation techniques to conceal their activities, making detection efforts by cybersecurity professionals significantly challenging. They used Astrill VPN endpoints to hide the geographic origins of their operations. This tactic added a layer of invisibility by masking the location from which the attacks were conducted, making it difficult for cybersecurity teams to trace the source of the threat.
Marching Stealthily
Additionally, the group leveraged sophisticated methods to further cloak their operations, such as using compromised servers and various engagement channels to disguise their true activities. These techniques amplified the complexity of identifying and mitigating their attacks, reinforcing the need for robust and multi-layered security measures.
In Conclusion
In a move that highlights the growing sophistication and cleverness of cybercriminals, North Korea’s notorious Lazarus Group has executed a large-scale supply chain attack. This cyber-espionage campaign, named Phantom Circuit, involved duplicating genuine open-source projects and embedding them with harmful backdoors, with a primary focus on the cryptocurrency industry. The altered projects were mainly distributed through platforms like Gitlab, targeting developers who would unknowingly incorporate the malware-infected cloned software into their own systems.
The Lazarus Group’s strategy was meticulous, ensuring the infected versions were nearly indistinguishable from the legitimate ones, making it extremely difficult for developers to detect the hidden threats. By modifying open-source projects, they exploited the trust developers place in these resources, enabling wide-reaching infiltration of unsuspecting systems in the cryptocurrency space. This attack underscores the need for increased vigilance and robust security practices in the software development community to prevent such breaches from happening in the future.
