FlagThis

SecurityScorecard has uncovered a stealthy malware campaign orchestrated by North Korea's Lazarus Group, dubbed "Marstech Mayhem." The campaign involves the deployment of an advanced malware implant named "marstech1," designed to target cryptocurrency wallets and infiltrate the software supply chain. The implant first emerged in late December 2024, spreading through open-source software via GitHub and NPM packages, putting unsuspecting developers and their projects at risk. The group has been injecting JavaScript implants into repositories, blending malicious code with legitimate code to avoid detection.

The marstech1 implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the malware scans systems for crypto wallets, attempting to steal sensitive information. SecurityScorecard confirmed at least 233 victims across the U.S., Europe, and Asia. According to SecurityScorecard’s analysis, the threat actors have established a command and control server hosted on Stark Industries LLC infrastructure. Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, noted that the malware uses layered obfuscation techniques, highlighting the group's sophisticated approach to evading static and dynamic analysis.

ImgSrc: blogger.googleu

References :

• readwrite.com: Details of marstech1 implant used by Lazarus group in supply chain attacks.
• The Hacker News: Article describing Lazarus Group's attack campaign targeting developers using marstech1 implant.
• www.developer-tech.com: Report on Lazarus Group's use of marstech1 malware.
• ReadWrite: North Korea’s Lazarus Group spreads crypto-stealing malware through open-source software
• Developer Tech News: Lazarus Group infiltrates supply chain with stealthy malware

Classification:

• HashTags: #LazarusGroup #SupplyChainAttack #MarstechMayhem
• Target: Software Developers
• Attacker: Lazarus Group
• Product: Open Source Software
• Malware: marstech1
• Type: Malware
• Severity: Major