Analysts recently identified a new iteration of BeaverTail malware associated with the CL-STA-240 Contagious Interview campaign , first discovered in November 2023. The threat actors, associated with the Democratic People’s Republic of Korea (DPRK), pose as prospective employers and target individuals seeking employment within the Information Technology sector through popular job search platforms such as LinkedIn and X. The threat actors then attempt to convince the victims to participate in online interviews to trick them into downloading and installing malware. |
Profile of a fake recruiter on X. Image Source: Unit 42 |
This new BeaverTail variant was detected as early as July 2024. It was written in Qt rather than JavaScript, allowing threat actors to create cross-platform applications for Windows and macOS simultaneously. The updated malware has expanded to target 13 distinct cryptocurrency wallet browser extensions. Other updated features enable password theft in macOS and the theft of cryptocurrency wallets in macOS and Windows. These changes align with the ongoing financial interests of North Korean threat actors. |
Once installed, BeaverTail runs in the background and forwards stolen sensitive data to the command and control (C2) server. After exfiltration, BeaverTail attempts to download the Python programming language from hxxp://<c2_server>:1224/pdown. Python is necessary for InvisibleFerret to function on different operating systems. The first stage of InvisibleFerret then downloads from hxxp://<c2_server>:1224/client/<campaign_id>. |
InvisibleFerret components infographic. Image Source: Unit 42 |
The attack ends with the delivery of the InvisibleFerret backdoor, which can be used for keylogging, file exfiltration, and downloading remote control software such as AnyDesk. If the malware is successfully downloaded, this campaign could potentially compromise prospective companies that may hire the targeted job seekers, leading to the extraction and exfiltration of sensitive data. |
Recommendations |
Educate yourself and others about these and similar scams. Refrain from clicking on links and attachments delivered via emails or social media messages. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Confirm the legitimacy of requests by contacting the careers section of a company’s official website or by calling the company’s human resources department to verify if the job offer is legitimate. Report malicious cyber activity to the FTC, FBI’s IC3. |