Google Attributes Axios npm Supply Chain Attack on North Korean Group UNC1069
Google has officially revealed that the supply chain compromise of the popular Axios npm package in a cluster of financially motivated North Korean threat activities is being tracked as UNC1069.
“We attribute this attack to a North Korean threat actor we tracked as UNC1069,” John Hultquist, senior analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.
“North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency. The full scope of this incident is unclear, but given the popularity of the vulnerable package, we expect it to have far-reaching implications.”
The development comes after malicious actors took control of the package maintainer’s npm account to push two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency called “plain-crypto-js” used to deliver a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.
Rather than introducing any code changes to Axios, the attack uses a post-installation hook inside the “package.json” file for malicious dependencies to accomplish stealth execution. Once a vulnerable Axios package is installed, npm automatically triggers the execution of malicious code in the background.
Specifically, the “plain-crypto-js” package acts as a “payload vehicle” for a mysterious JavaScript drop called SILKBELL (“setup.js”), which downloads the appropriate next stage from a remote server based on the victim’s operating system.
As previously described by The Hacker News, the Windows execution branch brings PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux systems. The dropper also performs a cleanup to remove and replace the “package.json” file of the “plain-crypto-js” package with a clean version that does not have a post installation hook.
 |
| Image Source: Elastic Security Labs |
The backdoor, codenamed WAVESHAPER.V2, is being tested as an updated version of WAVESHAPER, a C++ backdoor deployed by UNC1069 in attacks aimed at the cryptocurrency sector. The menacing actor has been active since 2018. Links to the supply chain attack on UNC1069 were first flagged by Elastic Security Labs, citing overlapping operations.
The three types of WAVESHAPER.V2 support four different commands, while flashing the command and control server (C2) at 60 second intervals –
- killto terminate the process of running the malware.
- rundirlisting directories, and file paths, sizes, and creation/modification timestamps.
- runscriptusing AppleScript, PowerShell, or shell commands based on the operating system.
- peinjectrecording and using arbitrary binaries.
“WAVESHAPER.V2 is the direct evolution of WAVESHAPER, a backdoor for macOS and Linux previously called UNC1069,” said Mandiant and GTIG. “While the original WAVESHAPER uses the lightweight, raw C2 protocol and uses code packaging, WAVESHAPER.V2 communicates using JSON, collects more system information, and supports additional background commands.”
“Despite this improvement, both versions accept their C2 URL dynamically using command-line arguments, share the same C2 polling behavior and random user-agent string, and send secondary payloads to the same temporary directory (eg, /Library/Caches/com.apple.act.mond).”
To reduce the threat, users are advised to check the dependency trees for vulnerable versions (and downgrade to a safe version, if found), pin Axios to a known safe version in the “package-lock.json” file to prevent the development of the risk, check for the presence of “plain-crypto-js” in “node_modules,” terminate malicious processes (block C2)[.]com,” IP Address: 142.11.206[.]73), isolate the affected systems, and rotate all the credentials.
“The attack on Axios should be understood as a template, not a one-time event. The level of operational technology documented here, including compromised custodian information, pre-arranged payloads built into three operating systems, both branches released in less than 40 minutes, and self-destruction built-in forensics, shows the threat actor who organized this as a work of ArversingLaw. Hacker News.
“If this campaign has appeared on PyPI and NuGet, that is consistent with what the attack mechanics have said: the goal was maximum developer access. Organizations need to check not only their dependencies on npm, but every package manager that feeds their build pipelines, and treat any secrets exposed in affected areas as compromised, regardless of which registry they affected.”
