Cybersecurity researchers have uncovered an enhanced version of the BeaverTail malware, previously used by attackers linked to the Democratic People’s Republic of Korea (DPRK) in cyber espionage campaigns targeting job seekers.

You might be interested in: Poco RAT Phishing Scam Hits Spanish Speakers

The Discovery of “MiroTalk.dmg”

Security researcher Patrick Wardle has identified a malicious Apple macOS disk image (DMG) file named “MiroTalk.dmg.” This file masquerades as the legitimate video call service MiroTalk but is designed to deliver a native version of the BeaverTail malware.

What is BeaverTail?

BeaverTail, initially discovered by Palo Alto Networks Unit 42 in November 2023, is a JavaScript-based stealer malware. It was part of a campaign dubbed “Contagious Interview,” which aimed to infect software developers via a fake job interview process. Securonix has been tracking similar activities under the name DEV#POPPER.

The Capabilities of BeaverTail

BeaverTail is a potent tool for cyber espionage. It can steal sensitive data from web browsers like Google Chrome, Brave, and Opera, as well as from cryptocurrency wallets and iCloud Keychain. Additionally, it has the capability to download and execute other payloads, such as InvisibleFerret, a Python backdoor that installs AnyDesk for persistent remote access.

Shift in Distribution Tactics

Previously, BeaverTail was spread using fake npm packages uploaded to GitHub and the npm package registry. Recent findings indicate a change in distribution tactics. According to Wardle, DPRK hackers may have invited potential victims to a fake hiring meeting, prompting them to download and execute the infected MiroTalk application hosted on mirotalk[.]net.

“The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their techniques often rely on social engineering,” said Wardle.

Malicious npm Package “call-blockflow”

In related news, Phylum discovered a new malicious npm package called “call-blockflow,” which mimics the legitimate “call-bind” package. This weaponized version adds capabilities to download a remote binary file while taking steps to avoid detection.

The package, believed to be the work of North Korea’s Lazarus Group, was unpublished shortly after being uploaded but not before receiving 18 downloads. The activity, involving over three dozen malicious packages, has been ongoing since September 2023.

“These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files,” the software supply chain security firm stated.

Kimsuky Actor Targets Japanese Organizations

JPCERT/CC has also warned of cyber attacks conducted by the North Korean Kimsuky actor against Japanese organizations. The infection process begins with phishing emails impersonating security and diplomatic organizations. These emails contain a malicious executable that downloads a Visual Basic Script (VBS), which in turn retrieves a PowerShell script to gather user account, system, and network information, and enumerate files and processes.

The collected data is sent to a command-and-control (C2) server, which responds with a second VBS file that launches a PowerShell-based keylogger called InfoKey.

“Although there have been few reports of attack activities by Kimsuky targeting organizations in Japan, there is a possibility that Japan is also being actively targeted,” stated JPCERT/CC.

Conclusion

The recent findings highlight the evolving tactics of DPRK-linked cyber espionage groups. From using fake npm packages to malicious DMG files, these hackers continuously adapt their methods to compromise targets effectively. Cybersecurity professionals and organizations must remain vigilant and update their defenses to counter these sophisticated threats.