Researchers discovered a new malware campaign called BeaverTail, targeting job seekers in a North Korean cyber espionage operation.
BeaverTail Malware
Initially identified as a JavaScript-based info stealer, BeaverTail has evolved into a native macOS version, masquerading as legitimate software like MiroTalk. It is designed to steal confidential data, including browser information and cryptocurrency wallets.
Recently, Group-IB researchers uncovered that BeaverTail malware has also been targeting Windows users through weaponized games.
Group-IB’s cybersecurity specialists have identified two significant developments in the BeaverTail malware family. First, a new Windows version of BeaverTail has been detected, expanding its reach beyond previous platforms.
More concerning is the discovery of an evolved JavaScript variant, built on ReactJS, that spreads through popular games. These malicious applications are concealed within NPM (Node Package Manager) packages, making them easily integrable into various development projects.
The Lazarus group has adapted the BeaverTail malware to target Windows, disguising it as the FCCCall.exe conferencing app. This campaign, similar to past efforts, occurred between late July and early August, using communication software to infiltrate devices.
BeaverTail malware continues to focus on stealing cryptocurrency wallet information and deploying the next-step payload, InvisibleFerret. However, its scope has expanded to target a wider range of browser extensions, including Kaikas, Rabby, Argent X, and Exodus Web3, indicating the operators’ intent to capture more cryptocurrency assets from victims.
IoCs
- 185.235.241[.]208:1224
- 95.164.17[.]24:1224
- dc77044fe8d35882015eaa99ca31f826
- b9693b6541a22d01b100b867375279e6
- 8ebca0b7ef7dbfc14da3ee39f478e880
- ed60b3913e6694f4a0ed2fe25551bd1f
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment