A recent analysis by the AhnLab Security Intelligence Center (ASEC) has uncovered a particularly insidious campaign involving the distribution of BeaverTail and Tropidoor malware via deceptive recruitment emails.
The attackers in this campaign employ a classic social engineering tactic: impersonation. On November 29, 2024, ASEC disclosed a case where threat actors impersonated a recruitment email from Dev.to, a well-known developer community, to spread their malicious payload. These emails are designed to entice unsuspecting recipients with the promise of a lucrative job opportunity, in this case, a “Software Engineer, Full Stack position at AutoSquare”.
Instead of attaching a malicious file directly to the email, the attackers provide a BitBucket link containing a project. This seemingly legitimate approach may lull victims into a false sense of security. However, hidden within the project’s files lies the danger: BeaverTail malware disguised as “tailwind.config.js,” and a downloader malware called “car.dll”.
Attack disclosed in the developer community | Image: ASEC
The analysis reveals a two-pronged attack involving sophisticated malware:
- BeaverTail: This JavaScript malware is known for its information-stealing capabilities. It targets web browsers to steal credential information and cryptocurrency wallet data and can download additional malware like InvisibleFerret. ASEC notes that “BeaverTail is known to be used by North Korean attackers for information theft and downloading additional payloads“. It is often distributed in phishing attacks disguised as job offers, including those targeting LinkedIn users.
- Tropidoor: This malware operates in memory as a backdoor. Upon execution, it decrypts and attempts to connect to multiple command-and-control (C&C) server addresses. After establishing a connection, it collects basic system information, generates a random encryption key, and transmits this information to the C&C server. The “car.dll” downloader is characterized by its implementation of Windows commands internally, a technique similar to the LightlessCan malware associated with the Lazarus group.
ASEC’s analysis provides valuable insights into Tropidoor’s communication with the C&C server. The malware encrypts the RSA public key with Base64, and the randomly generated key is used for packet encryption during C&C communication. In the initial communication, system information and the encrypted random key are transmitted through the “tropi2p” and “gumi” parameters, respectively. Tropidoor can receive various commands from the C&C server, including those for file manipulation, process execution, and system information gathering. Notably, “command #34 is unique,” as it involves the execution of basic Windows commands such as “schtasks,” “ping,” and “reg”.
This analysis underscores the importance of exercising caution when interacting with unsolicited communications, especially those involving job offers. As ASEC emphasizes, “Users should be cautious not only with email attachments but also with executable files from unknown sources“.
Related Posts:
- North Korean APT Lazarus Uses Malicious npm Package to Target Developers
- Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding
- Developers Targeted: North Korean Hackers Deploy “BeaverTail” Malware via NFTs
- Cyber Espionage Campaign: North Korean Actors Deploy BeaverTail and InvisibleFerret
- North Korean Hackers Launch Job Interview Scam to Deploy BeaverTail and InvisibleFerret Malware
