VTA-004504 – Operation 99: Lazarus Group Targets Developers with Sophisticated Cyberattack
On January 9, 2025, researchers discovered Operation 99, a cyberattack by North Korea’s Lazarus Group targeting software developers in Web3 and cryptocurrency. The attackers use fake job offers on platforms like LinkedIn to trick developers into cloning malicious GitLab repositories. Once cloned, these repositories install malware that connects to the attackers’ servers, allowing them to steal sensitive information and spread the attack through developer networks.
The malware is made up of several parts that work together. Main99 is a downloader that pulls in more harmful software, while Payload99/73 steals data like keystrokes, clipboard content, and files. MCLIP focuses on monitoring what the victim types and copies. The attackers hide the malware well, making it difficult for security systems to detect.
Operation 99 is more advanced than earlier attacks. It doesn’t delete itself after infecting a system, so the attackers can stay in control longer. It also uses a 65-layer encryption to hide the malware and has new tools that make it even more effective.
This attack is particularly dangerous because it targets developers, potentially disrupting entire projects and organizations. The Lazarus Group is after valuable data, including cryptocurrency keys, which could fund North Korea’s government.
Severity:
Medium
Attack Surface:
Email, Messaging, Supply Chain (Third-party vendors)
Tactics:
Collection, Credential Access, Defense Evasion, Execution, Exfiltration, Impact, Initial Access
Techniques:
T1566 – Phishing
T1204 – User Execution
T1543 – Create or Modify System Process
T1027 – Obfuscated Files or Information
T1056 – Input Capture
T1005 – Data from Local System
T1041 – Exfiltration Over Command and Control Channel
T1565 – Data Manipulation
References:
1. https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
SuperPRO’s Threat Countermeasures Procedures:
1. Double-check LinkedIn profiles and job offers for legitimacy by contacting recruiters through official channels to avoid phishing attempts.
2. Check Git repositories before cloning by ensuring they are from trusted sources and free of malicious code.
3. Deploy solutions that detect abnormal activity or malware on devices, preventing malware from executing.
4. Educate developers on recognizing social engineering tactics, phishing, and repository tampering to improve awareness and security practices
5. Segregate development environment from production and sensitive systems to contain potential breaches.
Contributed by: Eddy