A new version of the Beavertail Malware is identified on job seekers in the field of fake recruiters.
The attack, discovered by Unit 42 and part of the current CL-Sta-240 contagious interview campaign, uses the search for jobs such as LinkedIn and X (formerly Twitter), where attackers present themselves as employers to infect devices with malware.
Initially reported in November 2023, the campaign has since evolved, with new malware versions that are popping up.
Recent discoveries include the Beavertail Downloader, compiled using the platform-dependent QT-Framework from July 2024. This allows attackers to implement malware on both macOS and Windows systems from a single source code.
In addition, code updates are made to the InvisibleFerret Backdoor, which makes further control over infected devices possible.
Beavertail: Distribution and Motives
The Beavertail Malware is distributed by files disguised as legitimate applications, such as Mirotalk and Freecference, where victims mislead to install the malignant software.
“After the attacker set up a technical interview online, the attacker convinced the potential victim to perform malignant code,” Unit42 explained. “In [one] Case, the potential victim, deliberately carried out the code in a virtual environment, which was eventually connected to the command-and-control (C2) server of the attacker. “
Once installed, Beavertail is performed in the background and steals sensitive data such as browser passwords and cryptocurrency portion information information.
This is in line with the financial motivations that are often attributed to North Korean cyber actors, because Beavertail now focuses on 13 different cryptocurrency wallet browser extensions – of nine in its earlier variant.
The attack ends with the delivery of the InvisibleFerret Backdoor, which is used for keylogging, file versions and even downloading external operating software such as Anydesk.
‘[An] An important risk that this campaign is a potential infiltration of the companies that employ the intended job seekers. A successful infection on a business company can lead to collection and exfiltration of sensitive information, “warned unit 42.
The company also reported that the continuous development of the malware code suggests that the attackers actively refine their methods between attacks.
Read more about Social Engineering -attacks: 92% of the organizations affected by credential compromise of social engineering attacks
Unit 42 has advised that both individuals and organizations must remain vigilant, especially in the recruitment scenarios, to prevent the victim of such advanced campaigns for social engineering.