Palo Alto Research
This threat actor is focused on compromising web servers and stealing payment information.
Tactics, Techniques, and Procedures (TTPs):
- Exploiting known Telerik UI vulnerabilities for initial access. (CVE-2017-11317 and CVE-2019-18935)
- Uploading and executing web shells.
- Using reverse proxy and tunneling tools.
- Employing GodPotato for privilege escalation.
Obfuscation Tactics:
Using mixed-mode assemblies to embed native code in .NET binaries.
Utilizing RingQ loader for malicious payload execution.
- Employing MSHTA and PowerShell reverse shells.
- Data exfiltration using custom Python scripts.
- Use of cobalt strike for post-exploitation activities
Tools and Attack Used:
Contagious Interview: DPRK Threat AcContagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
Cyber espionage campaign called "CL-STA-240 Contagious Interview", attributed to threat actors associated with North Korea (DPRK). The attackers are posing as recruiters on platforms like LinkedIn to target job seekers, particularly in the tech industry. The goal is to trick victims into downloading and executing malware on their computers during a fake online interview. The campaign uses a downloader called BeaverTail, now rewritten in the Qt framework to be cross platform (Windows and macOS), which then downloads and installs a python based backdoor called InvisibleFerret. This allows the attackers to steal sensitive data (browser credentials, crypto wallets, files) and maintain control over the compromised machines. The campaign is likely financially motivated, as it targets cryptocurrency wallets, with the overall goal to fund the DPRK regime. The attackers have updated their malware, indicating active development.
Attacker Techniques:
Social Engineering Attack Techniques: Scammers are targeting job seekers, particularly software developers and tech industry professionals, by posing as legitimate recruiters on platforms like LinkedIn. They establish trust through online interviews, then trick victims into downloading and installing malware disguised as legitimate applications.
This malware is cleverly disguised as real apps, such as MiroTalk and FreeConference, and uses the Qt framework to run on both Windows and macOS. Attackers employ installer files with .dmg (macOS) and .msi (Windows) extensions to deliver the malware. To maintain the illusion of legitimacy, they display fake login windows while executing malicious code in the background through GUI redirection.
Torjan Techniques: Malware is cleverly disguised as legitimate applications, such as MiroTalk and FreeConference, to deceive victims. Attackers utilize the Qt framework to create cross-platform malware, enabling it to run seamlessly on both Windows and macOS.
To deliver this malware, attackers employ installer files tailored to specific operating systems: .dmg for macOS and .msi for Windows. During installation, fake login windows are displayed, maintaining the illusion of a legitimate process while malicious code executes in the background through GUI redirection.
BeaverTail is a downloader and infostealer malware targeting Windows and macOS platforms. It's distributed via fake MiroTalk and FreeConference applications, collecting and exfiltrating data without visible indicators. The malware steals browser passwords, cryptocurrency wallets and executes the InvisibleFerret backdoor payload.
Steal data from various place such Microsoft Sticky Notes SQLLite DB. `%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite`. As well as many applications Authenticator, password manager, etc.
Github
free service plan to host malicious repositories, disguising them as legitimate projects to compromise victims. The attackers behind Contagious Interview created multiple fake identities and repositories, attempting to establish trust. However, closer examination revealed suspicious characteristics, such as:
Single, inactive repositories
Lack of updates
Unusual comments in the Issues section
Malicious files identified through GitHub's Insights feature
NPM Supply Chain Attack
NPM, a central hub for JavaScript projects, to launch supply chain attacks. Malicious actors inject harmful code into legitimate NPM packages and distribute them through GitHub, creating subtle backdoors for unauthorized network access
InvisibleFerret is a sophisticated, cross-platform malware with various components and functionalities, posing significant threats to compromised systems. Understanding its components, C2 communications, and functionalities is crucial for effective detection and mitigation strategies.
Components
Initial script, downloaded from a command and control (C2) server, is saved under the user's home directory and executed using Python. This script installs required Python modules, defines variables for C2 communication, and retrieves two additional components.
Fingerprinting Component
The first component collects system data, including internal IP address, geolocation information, and system details, sending this data to the C2 server in JSON format.
Remote Control and Information Stealing Component
The second component deploys remote control and information stealing capabilities, installing necessary Python packages, such as pyWinhook, pyperclip, psutil, and pywin32. It establishes a connection with the C2 server, periodically checking in and awaiting further instructions.
C2 Communications
InvisibleFerret communicates with the C2 server over TCP traffic, using JSON messages. The infected host sends heartbeat messages with campaign identifiers and hostnames, while the C2 server responds with instructions, including eight commands:
Keylogger functionality
Browser stealer functionality
Data exfiltration
Remote control
Downloading additional malware (AnyDesk)
Executing system commands
Uploading files
Deleting files