North Korean Hackers Update BeaverTail Malware to Target MacOS Users
Summary:
Security researchers have uncovered a new variant of BeaverTail, an infostealer malware that has been associated with the Democratic People's Republic of Korea (DPRK). BeaverTail was first documented by Palo Alto Networks Unit 42 in November 2023. In campaigns observed to date, the info stealer has been used to target job seekers such as software developers through the employment of fake job interview processes. For its part, the implant is designed to exfiltrate sensitive information from web browsers and crypto wallets. It also comes with capabilities to deploy additional tooling such as InvisibleFerret, a Python backdoor that's responsible for downloading AnyDesk for persistent remote access.
Security Officer Comments:
The latest variant of BeaverTail is an Apple macOS disk image named “MiroTalk[.]dmg” which is designed to mimic the legitimate video calling service, MiroTalk, by using the same name. This DMG file facilitates the theft of data from cryptocurrency wallets, iCloud Keychain, and web browsers like Google Chrome, Brave, and Opera. As mentioned above, it is also capable of downloading and executing additional Python scripts from a remote server.
Suggested Corrections:
The distribution vector for the new variant of BeaverTail differs from previous campaigns where the infostealer was delivered via bogus npm packages hosted on GitHub and the npm package registry. In the latest campaign, actors are likely approaching potential job seekers and requesting they join a meeting by downloading software, which in this case is masquerading as a legitimate video calling service, MiroTalk. In general, job seekers should take caution when scouring the web for potential opportunities. Normally, companies won’t ask job applicants to install software during the interview process. If video calling software is required for the interview, it should only be downloaded from the official vendor site. Running new or untrusted applications in a sandbox environment and having antivirus solutions in place can also help deter potential infections.
Link(s):
https://thehackernews.com/2024/07/north-korean-hackers-update-beavertail.html
Security researchers have uncovered a new variant of BeaverTail, an infostealer malware that has been associated with the Democratic People's Republic of Korea (DPRK). BeaverTail was first documented by Palo Alto Networks Unit 42 in November 2023. In campaigns observed to date, the info stealer has been used to target job seekers such as software developers through the employment of fake job interview processes. For its part, the implant is designed to exfiltrate sensitive information from web browsers and crypto wallets. It also comes with capabilities to deploy additional tooling such as InvisibleFerret, a Python backdoor that's responsible for downloading AnyDesk for persistent remote access.
Security Officer Comments:
The latest variant of BeaverTail is an Apple macOS disk image named “MiroTalk[.]dmg” which is designed to mimic the legitimate video calling service, MiroTalk, by using the same name. This DMG file facilitates the theft of data from cryptocurrency wallets, iCloud Keychain, and web browsers like Google Chrome, Brave, and Opera. As mentioned above, it is also capable of downloading and executing additional Python scripts from a remote server.
Suggested Corrections:
The distribution vector for the new variant of BeaverTail differs from previous campaigns where the infostealer was delivered via bogus npm packages hosted on GitHub and the npm package registry. In the latest campaign, actors are likely approaching potential job seekers and requesting they join a meeting by downloading software, which in this case is masquerading as a legitimate video calling service, MiroTalk. In general, job seekers should take caution when scouring the web for potential opportunities. Normally, companies won’t ask job applicants to install software during the interview process. If video calling software is required for the interview, it should only be downloaded from the official vendor site. Running new or untrusted applications in a sandbox environment and having antivirus solutions in place can also help deter potential infections.
Link(s):
https://thehackernews.com/2024/07/north-korean-hackers-update-beavertail.html