HQ/EMEAFind out how we can help your business
Two new malware strains, BeaverTail and InvisibleFerret, have been brought about by the recruiting scams used by DPRK hackers. The primary objective of the campaign, according to reports, is to steal cryptocurrency assets and victim data.
This scam has been operating since November last year. Threat actors affiliated with the Democratic People’s Republic of Korea (DPRK) present themselves as fake recruiters to deceive victims into downloading the BeaverTail malware and the InvisibleFerret backdoor.
The perpetrators of the scam approach software devs through job search platforms, posing as potential employers. The researchers claimed that these attackers invite the victim to an online interview, during which the threat actor tries to trick the victim into downloading and installing malware.
The DPRK hackers have employed the BeaverTail malware since it could infect both Mac and Windows OS.
BeaverTail is the first malware released in the campaign. The threat actors have leveraged this payload, as it is compatible with both macOS and Windows platforms. The hackers deliver it through files that resemble a real-time video call app called MiroTalk. In some instances, the attackers also used the conference calling service FreeConference.
Researchers noted that the new versions of BeaverTail have captured and exfiltrated data without the victim’s knowledge. Additionally, it can collect browser passwords and credentials for several crypto wallets. This malware’s latest version targets 13 distinct Bitcoin wallet browser extensions, significantly higher than its JavaScript variant with nine.
The second malware that the North Korean hackers employed is InvisibleFerret. It installs a backdoor that monitors keystrokes, steals files, and downloads the AnyDesk program, which allows hackers to manage a device remotely. Additionally, it can exfiltrate browser credentials and payment card details.
The researchers revealed that they discovered that the threat actors applied minor code changes gradually, which is a different approach from the InvisibleFerret versions delivered in this campaign last year.
These modifications indicate that the malware writers actively work on the virus’s code while executing the campaign. Still, the virus’ overall feature remains the same.
This North Korean cybercriminal operation is just one of numerous campaigns launched by the country to recruit threat actors or compromise devices at significant technology businesses. Therefore, concerned parties should be wary of these scams, especially software devs and job seekers, as they are the primary targets of the campaign.
