Attackers linked to North Korea have been seen targeting job seekers in the tech industry to deliver updated versions of popular malware families tracked as BeaverTail and InvisibleFerret.
The cluster of activity tracked as CL-STA-0240 is part of a duplicate campaign Contagious interview that Palo Alto Networks Unit 42 disclosed for the first time in November 2023.
“The threat actor behind CL-STA-0240 is contacting software developers through job search platforms, posing as potential employers,” – Unit 42 said in a new report.
“The attackers invite the victim to participate in an online interview where the threat actor tries to convince the victim to download and install malware.”
The first stage of the infection includes the BeaverTail downloader and information stealer, designed to target Windows and Apple macOS platforms. The malware acts as a conduit for the Python-based InvisibleFerret backdoor.
There is evidence that activity remains active despite public disclosures indicating that the threat actors behind the operation continue to experience success in tricking developers into executing malicious code under the guise of coding intent.
Security researcher Patrick Wardle and cybersecurity firm Group-IB detailed in two recent analyzes attack chain which used fake Windows and macOS video conferencing programs masquerading as MiroTalk and FreeConference.com to infiltrate developers’ systems with BeaverTail and InvisibleFerret.
It should be noted that the fake application is developed using Qt, which supports cross-compilation for both Windows and macOS. The Qt-based version of BeaverTail is capable of stealing browser passwords and collecting data from multiple cryptocurrency wallets.
In addition to sending data to an adversary-controlled server, BeaverTail can download and run the InvisibleFerret backdoor, which includes two components of its own –
- A core payload that allows infected host fingerprinting, remote control, keylogging, data extortion, and downloading AnyDesk
- A browser hijacker that collects browser credentials and credit card information
“North Korean threat actors are known to commit financial crimes for funds to support the DPRK regime,” Unit 42 said. “This campaign may be financially motivated as the BeaverTail malware can steal 13 different cryptocurrency wallets.”
