Pages

Thursday, September 12, 2024

2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples

2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related

This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). 

There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don't have samples for that one.

 These campaigns target job-seeking activities to deploy malware and conduct espionage. 

Contagious Interview (CL-STA-0240):
  • The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.

  • BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.

    InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.

  • The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.

Wagemole (CL-STA-0241):
  • Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea's weapons programs and potentially conduct espionage.

  • Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.

Download
File Information
  • BEAVERTAIL js
  • ├── 09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86 config.js 
  • ├── 0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1 server.js 
  • ├── 1123fea9d3a52989ec34041f791045c216d19db69d71e62aa6b24a22d3278ef9  server.js 
  • ├── 121ca625f582add0527f888bb84b31920183e78c7476228091ff2199ec5d796b Setup.js 
  • ├── 1b21556fc8ecb9f8169ba0482de857b1f8a5cb120b2f1ac7729febe76f1eea83 setupTests.js 
  • ├── 1f9169492d18bffacebe951a22495d5dec81f35b0929da7783b5f094efef7b48 error.js 
  • ├── 2618a067e976f35f65aee95fecc9a8f52abea2fffd01e001f9865850435694cf setupTests.js 
  • ├── 40645f9052e03fed3a33a7e0f58bc2c263eeae02cbc855b9308511f5dc134797 config.js 
  • ├── 41a912d72ba9d5db95094be333f79b60cae943a2bd113e20cc171f86ebcb86cf config.js 
  • ├── 4c465e6c8f43f7d13a1b887ff26d9a30f77cf65dd3b6f2e9f7fe36c8b6e83003 App.test.js 
  • ├── 4c605c6ef280b4ed5657fe97ba5b6106b10c4de02a40ae8c8907683129156efd setupTests.js 
  • ├── 6b3fce8f2dad7e803418edd8dfc807b0252705c11ec77114498b01766102e849 App.test.js 
  • ├── 700a582408cbda7ee79723b3969b8d10d67871ea31bb17c8ca3c0d94b481aa8c setupTests.js 
  • ├── 72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d act.js 
  • ├── 75f9f99295f86de85a8a2e4d73ed569bdb14a56a33d8240c72084f11752b207e setupTests.js 
  • ├── 785f65f1853a08b0e86db5638fbd76e8cad5fe1359655716166a76035261c0be error.js 
  • ├── 7b718a46ae4de09ed4f2513df6e989afe1fbb1a0f59511a4689fac5e1745547d setupTests.js 
  • ├── 7f8bb754f84a06b3e3617dd1138f07a918d11717cc63acaef8eb5c6d10101377 serviceChecker.js 
  • ├── 845d7978682fa19161281a35b62f4c447c477082a765d6fedb219877d0c90f31 configurationR.js 
  • ├── 9867f99a66e64f6bce0cfca18b124194a683b8e4cb0ced44f7cb09386e1b528d configurationR.js 
  • ├── a2f8de3c5f5f6ecbf29c15afd43a7c13a5bf60023ecb371d39bcca6ceef1d2b7 next.setup.js 
  • ├── b833f40b2f3439f317cf95980b29bddd2245d2acc2d5c11e9690dd2fa4289585 setupTests.js 
  • ├── d8f065d264b1112d6ee3cf34979289e89d9dcb30d2a3bd78cc797a81d3d56f56 setupTests.js 
  • ├── de42155e14a3c9c4d919316d6ba830229533de5063fcd110f53e2395ef3aa77a serviceWorker.js 
  • └── fc9bb03998a89524ce5a0f859feb45806983aa4feb5f4d436107198ca869ff6f setupTests.js 


  • BEAVERTAIL DLLs Downloaded
  • ├── 2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44 store8.node 
  • ├── c5a73896dc628c23a0b6210f50019445e2b8bfc9770f4c81e1fed097f02dfade store8.node 
  • └── da6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc store8.node 

  • BEAVERTAIL ARCHIVE FILES
  • ├── 104926c2c937b4597ea3493bccb7683ae812ef3c62c93a8fb008cfd64e05df59 sandwich bot (1).zip
  • ├── 12c0f44a931b9d0d74a2892565363bedfa13bec8e48ff5cd2352dec968f407ee arb front v2.zip
  • ├── 1c905fa3a108f4c9bc0578882ce7af9682760b80af5232f130aa4f6463156b25Shared with you ICO.zip
  • ├── 592769457001374fac7a44379282ddf28c2219020c88150e32853f7517896c34 arb.zip
  • ├── 61dff5cbad45b4fe0852ac95b96b62918742b9c90dd47c672cbe0d1dafccb6c5 arb front v2.rar
  • ├── 6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af african-economy-main.zip
  • ├── 709820850127201a17caab273e01bb36ce185b4c4f68cd1099110bb193c84c42 Solbots-Template.zip
  • ├── 9ae24a1912e4b0bab76ae97484b62ea22bdc27b7ea3e6472f18bf04ca66c87de.zip
  • ├── b5f151f0a4288e148fd10e19c78399f5b7bdff2ad66940fadd20d6eae4b7518b MoonShield.zip
  • ├── c8c11f9b308ea5983eebd8a414684021cc4cc1f67e7398ff967a18ae202fb457 RockBlocks-main.zip
  • ├── ceb59dbaf58a8de02f9d5e9b497321db0a19b7db4affd5b8d1a7e40d62775f96.pack
  • ├── db6e75987cabdbfc21d0fdcb1cdae9887c492cab2b2ff1e529601a34a2abfd99 dapp.zip
  • ├── e2a940c7d19409e960427749519dc02293abe58a1bef78404a8390f818e40d08 0915.zip
  • └── ff620bd560485c13a58a0de941bd3e52943036e6a05306e928f7c626998822fb Freelance 0913.zip
  • INVISIBLE_FERRET
    └── 92aeea4c32013b935cd8550a082aff1014d0cd2c2b7d861b43a344de83b68129.js 
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

No comments:

Post a Comment