BeaverTail macOS Malware

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers.

The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name, but, in reality, serves as a conduit to deliver a native version of BeaverTail, security researcher Patrick Wardle said.

BeaverTail refers to a JavaScript stealer malware that was first documented by Palo Alto Networks Unit 42 in November 2023 as part of a campaign dubbed Contagious Interview that aims to infect software developers with malware through a supposed job interview process. Securonix is tracking the same activity under the moniker DEV#POPPER.

Besides siphoning sensitive information from web browsers and crypto wallets, the malware is capable of delivering additional payloads like InvisibleFerret, a Python backdoor that's responsible for downloading AnyDesk for persistent remote access.

Cybersecurity

While BeaverTail has been distributed via bogus npm packages hosted on GitHub and the npm package registry, the latest findings mark a shift in the distribution vector.

"If I had to guess, the DPRK hackers likely approached their potential victims, requesting that they join a hiring meeting, by downloading and executing the (infected version of) MiroTalk hosted on mirotalk[.]net," Wardle said.

An analysis of the unsigned DMG file reveals that it facilitates the theft of data from cryptocurrency wallets, iCloud Keychain, and web browsers like Google Chrome, Brave, and Opera. Furthermore, it's designed to download and execute additional Python scripts from a remote server (i.e., InvisibleFerret).

"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.

The disclosure comes as Phylum uncovered a new malicious npm package named call-blockflow that's virtually identical to the legitimate call-bind library but incorporates complex functionality to download a remote binary file while taking painstaking efforts to fly under the radar.

"In this attack, while the call-bind package has not been compromised, the weaponized call-blockflow package copies all the trust and legitimacy of the original to bolster the attack's success," it said in a statement shared with The Hacker News.

The package, suspected to be the work of the North Korea-linked Lazarus Group and unpublished about an hour and a half later after it was uploaded to npm, attracted a total of 18 downloads. Evidence suggests that the activity, comprising over three dozen malicious packages, has been underway in waves since September 2023.

"These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files," the software supply chain security company said. "This left the package directory in a seemingly benign state after installation."

Cybersecurity

It also follows an advisory from JPCERT/CC, warning of cyber attacks orchestrated by the North Korean Kimsuky actor targeting Japanese organizations.

The infection process starts with phishing messages impersonating security and diplomatic organizations, and contain a malicious executable that, upon opening, leads to the download of a Visual Basic Script (VBS), which, in turn, retrieves a PowerShell script to harvest user account, system and network information as well as enumerate files and processes.

The collected information is then exfiltrated to a command-and-control (C2) server, which responds back with a second VBS file that's then executed to fetch and run a PowerShell-based keylogger named InfoKey.

"Although there have been few reports of attack activities by Kimsuky targeting organizations in Japan, there is a possibility that Japan is also being actively targeted," JPCERT/CC said.

Update

Cybersecurity researchers have also identified a Windows version of the MiroTalk installer ("MiroTalk.msi"), indicating that the campaign is targeting both macOS and Windows users.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.