North Korean risk actors have been observed targeting tech industry job seekers, attempting to recruit individuals for schemes involving updated versions of known malware families, specifically BeaverTail and InvisibleFerret.
The exercise cluster, tracked as CL-STA-0240, was a component of the “Operation ShadowNet” marketing campaign launched by Palo Alto Networks’ Unit 42 team in November 2023.
According to a recent report from Unit 42, the malicious actor behind CL-STA-0240 is targeting software developers through job search platforms, disguising themselves as a potential employer.
Attackers typically initiate contact with victims through online interviews, during which malicious actors endeavour to persuade them into installing malware.
The initial phase of an infection involves a malicious software package called the BeaverTail downloader and information stealer, engineered to target both Windows and Apple macOS operating systems. The malware serves as a gateway for the Python-anchored InvisibleFerret backdoor.
Despite public transparency, evidence suggests that threat actors persist in achieving success by convincing developers to integrate malicious code into their projects under the guise of legitimate programming.
Cybersecurity experts Patrick Wardle of Safety Research Laboratory and Group-IB have recently published findings on a sophisticated attack vector that exploited fake video conferencing platforms mimicking MiroTalk and FreeConference.com, thereby compromising developer systems through the use of malware tools like BeaverTail and InvisibleFerret.
Noteworthy is its development using Qt, enabling seamless cross-compilation for both Windows and macOS platforms. Qt-based malware used by the notorious BeaverTail gang steals browser passwords and harvests sensitive information from multiple cryptocurrency wallets.
Upon infiltration, BeaverTail transfers stolen data to a server under adversarial control. Its primary objective is to acquire and deploy the InvisibleFerret backdoor, comprising two distinct components tailored to its unique capabilities –
- A sophisticated malware payload enables the unauthorized access to compromised hosts by means of fingerprinting, remote control capabilities, keystroke logging, data extraction, and clandestine transmission of proprietary software such as AnyDesk.
- A malicious software that covertly gathers sensitive user information.
“Malicious North Korean actors have been identified as engaging in financial criminal activities to raise funds that ultimately support the Democratic People’s Republic of Korea (DPRK) regime,” Unit 42 noted. “This marketing campaign may have a financial motive, as the BeaverTail malware has the capability to steal 13 distinct cryptocurrency wallets.”
