The Lazarus Group, notorious for its North Korean-related cyber threats, has deployed a new tactic targeting developers worldwide. This campaign uses an advanced malware implant named "Marstech1."

C2 Infrastructure of Marstech1 Malware

The Marstech implant first appeared in late December 2024, linked to a C2 server at the address 95.164.45.239, and also hosted on Stark Industries VPS. It establishes data-sending connections through port 3000. This implant is embedded in the code of a GitHub account linked to SuccessFriend, suspected to be the Lazarus Group's GitHub profile.

The GitHub account "SuccessFriend" has been found linked to multiple C2 servers since 2024. This profile contains projects related to web development and blockchain, aligning with Lazarus's interests. Upon examining the account's activity history, experts noticed it committed code to several projects, most recently in November 2024, when malware-related repos began to appear.

Figure 1. GitHub account SuccessFriend containing the malicious implant

The implant origin.js, known as Marstech1, was published in this repo. This implant sends extracted data to the URL path hxxp://95.164.45.239:3001/uploads and receives second-stage implants from the URL path hxxp://95.164.45.239:3001/client/marstech1.

Characteristics of Marstech1

Marstech1 is a JavaScript-based implant designed to gather system information such as machine name, platform, and main path. It employs obfuscation methods like control flow flattening, self-invoking functions, random variable and function names, Base64 string encoding, and anti-debugging checks. These techniques make malware detection more challenging, allowing it to hide within legitimate software packages or websites.

Figure 2. Malicious payload (origin.js) appearing at the initial stage of the attack campaign

Capabilities of Marstech Malware

Targeting Cryptocurrency Wallets

This JavaScript implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. The implant scans the entire system to locate cryptocurrency wallets to read file contents or extract metadata.

Figure 3. Scanning and data extraction function

Data Extraction Capability

The Marstech1 implant packages file data into an array of objects, each containing the file's content along with identifiers and metadata. This normalized data is then sent to the C2 server via an HTTP POST request, with the target URL constructed from Base64-encoded string segments to avoid detection. This process allows attackers to extract sensitive information to a remote C2 server.

Anti-Analysis Capabilities

This malware employs the following anti-analysis techniques:

1. One-time wrappers: Critical functions are allowed to run only once, after which callbacks are disabled to prevent subsequent calls from taking effect. This hinders callbacks or modifications to critical functions during debugging or malware analysis.

2. Self-referential check: Code checks functions to detect tampering or reverse engineering of the malware.

3. Console control takeover: Standard console methods are replaced with custom functions to hide debug output and interfere with logging, making it more difficult to track activities while the malware is running.

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this malware:

1. Regular software updates: Ensure that the operating system and all software, especially security-related applications, are updated to the latest versions to patch security vulnerabilities.

2. Use antivirus and firewall software: Install and maintain reliable antivirus and firewall software to detect and block potential threats.

3. Regular data backups: Regularly back up important data to ensure you can restore it in case of an attack.

4. Education and awareness: Train employees and users about cybersecurity threats and how to recognize signs of a malware attack.

5. System monitoring and auditing: Conduct regular security audits and monitor systems to detect unusual activities.

6. Access restriction: Apply the principle of least privilege, allowing users access only to resources necessary for their work.

7. Use two-factor authentication (2FA): Implement two-factor authentication for important accounts to enhance security.

8. Source code and third-party library review: Ensure that source code and third-party libraries used in software development projects are free from malware.

References

• Operation Marstech Mayhem Lazarus Group’s Open-Source Trap: North Korea’s New Malware Tactic Targeting Developers and Crypto Wallets

• Lazarus Group Using New Malware Tactic To Attack Developers Globally