Cyber security researchers have revealed an updated variant of the notorious hijacker malware that attackers linked to the Democratic People’s Republic of Korea (DPRK) delivered as part of previous cyber-espionage campaigns targeting job seekers.
The artifact in question is an Apple macOS disk image (DMG) file named “MiroTalk.dmg” that simulates legal video calling service with the same name but actually serves as a delivery channel for a native version of BeaverTail, security researcher Patrick Wardle said.
BeaverTail refers to JavaScript hijacking malware that was first documented by Palo Alto Networks’ Unit 42 in November 2023 as part of a campaign called Contagious interview which aims to infect software developers with malware through an alleged chat process. Securonix tracks the same activity under an alias DEV#POPER.
In addition to extracting sensitive information from web browsers and crypto wallets, the malware is capable of delivering additional payloads such as InvisibleFerret, a Python backdoor responsible for loading AnyDesk for persistent remote access.
While BeaverTail was spreading through fake npm packages hosted on GitHub and the npm package registry, the latest findings mark a shift in the distribution vector.
“If I had to guess, the North Korean hackers most likely approached their potential victims by asking them to join a recruitment meeting by downloading and running (an infected version of) MiroTalk hosted on mirotalk(.)net,” Wardle said.
Analysis of the unsigned DMG file shows that it facilitates the theft of data from web browsers such as Google Chrome, Brave and Opera, cryptocurrency wallets and iCloud Keychain. In addition, it is designed to download and execute additional Python scripts from a remote server (such as InvisibleFerret).
“North Korean hackers are a crafty bunch, and they’re quite adept at hacking macOS targets, even if their technique often relies on social engineering (and thus isn’t very impressive from a technical standpoint),” Wardle said.
Disclosure occurs as Phylum uncovered a new malicious npm package called call-blockflow, which is virtually identical to the legitimate call-bind, but includes sophisticated functionality to download a remote binary while making a painstaking effort to fly under the radar.
“In this attack, although the call-bind package was not compromised, the weaponized call-blockflow package copies all the trust and legitimacy of the original to support the success of the attack,” according to a statement shared with The Hacker News.
The package, suspected to be from the North Korea-linked Lazarus Group and not published until about an hour and a half after it was uploaded to npm, attracted a total of 18 downloads. The evidence suggests that activitycontaining more than three dozen malicious packages, has been in waves since September 2023.
“Once installed, these packages downloaded a remote file, decrypted it, executed the exported function on it, and then carefully covered their tracks by deleting and renaming the files,” the software security firm said. said. “This left the package directory in a seemingly benign state after installation.”
It also follows a JPCERT/CC message warning of cyberattacks by North Korean Kimsuki actor focused on Japanese organizations.
The infection process begins with phishing messages that impersonate security services and diplomatic organizations and contain a malicious executable that, when opened, causes a Visual Basic Script (VBS) to be loaded, which in turn extracts a PowerShell script to harvest the user account, system and network information, and list files and processes.
The collected information is then passed to the control server (C2), which responds with a second VBS file, which is then executed to retrieve and run a PowerShell-based keylogger called InfoKey.
“Although there have been several reports of Kimsuky attacks on organizations in Japan, there is a possibility that Japan is also being targeted,” JPCERT/CC. said.
