In a recent development, cybersecurity researchers have uncovered a new malware campaign known as BeaverTail, which has been linked to North Korean cyber espionage activities. This malware targets job seekers by posing as legitimate software, specifically the MiroTalk video call service.
Initially identified as a JavaScript-based information stealer, BeaverTail has now evolved into a native macOS version, aimed at stealing confidential data such as browser information and cryptocurrency wallets from infected computers. Researchers at Group-IB Threat Intelligence have been monitoring this malware closely and have made some disturbing discoveries about its capabilities.
According to Group-IB specialists, two significant developments have been observed in the BeaverTail malware family. Firstly, a new version designed for Windows users has been detected, expanding the malware’s reach beyond its previous platforms. Additionally, a new JavaScript variant of BeaverTail has been identified, which spreads through innocent-looking gaming titles. This variant is built on ReactJS, a widely used JavaScript library for popular games, making it harder to detect.
One of the alarming aspects of BeaverTail malware is its ability to hide within Node Package Manager (NPM) packages, making it easy to incorporate into various development projects. The Lazarus group, believed to be behind this malware, has demonstrated a high level of adaptability by targeting different operating systems and development environments.
The Windows version of BeaverTail disguises itself as a legitimate conferencing application called FCCCall.exe, mirroring a previous operation where the group trojanized the MiroTalk application. This recent campaign, believed to have taken place between late July and early August, underscores the group’s use of communication software to infiltrate host devices.
Despite its evolving nature, BeaverTail’s primary goals remain consistent across all versions – stealing cryptocurrency wallet information and downloading and executing the next-stage payload known as InvisibleFerret. The malware developers have expanded their scope by targeting a wider range of browser extensions, including popular ones like kaikas, rabby, argent X, and Exodus web3. This indicates their intention to target a larger number of victims’ cryptocurrency assets.
In terms of indicators of compromise (IoCs), researchers have identified several malicious IP addresses and hash values associated with BeaverTail. These IoCs can help security teams identify and mitigate potential threats posed by this malware.
Overall, the discovery of the BeaverTail malware campaign shines a light on the ever-evolving tactics employed by cybercriminals, particularly those affiliated with state-sponsored threats like North Korea’s Lazarus group. It underscores the importance of staying vigilant and implementing robust cybersecurity measures to protect against such malicious activities.