2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples
2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related
This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea).
There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don't have samples for that one.
These campaigns target job-seeking activities to deploy malware and conduct espionage.
Contagious Interview (CL-STA-0240):
The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.
BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.
InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.
The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.
Wagemole (CL-STA-0241):
Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea's weapons programs and potentially conduct espionage.
Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.
File Information
- BEAVERTAIL js
- ├── 09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86 config.js
- ├── 0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1 server.js
- ├── 1123fea9d3a52989ec34041f791045c216d19db69d71e62aa6b24a22d3278ef9 server.js
- ├── 121ca625f582add0527f888bb84b31920183e78c7476228091ff2199ec5d796b Setup.js
- ├── 1b21556fc8ecb9f8169ba0482de857b1f8a5cb120b2f1ac7729febe76f1eea83 setupTests.js
- ├── 1f9169492d18bffacebe951a22495d5dec81f35b0929da7783b5f094efef7b48 error.js
- ├── 2618a067e976f35f65aee95fecc9a8f52abea2fffd01e001f9865850435694cf setupTests.js
- ├── 40645f9052e03fed3a33a7e0f58bc2c263eeae02cbc855b9308511f5dc134797 config.js
- ├── 41a912d72ba9d5db95094be333f79b60cae943a2bd113e20cc171f86ebcb86cf config.js
- ├── 4c465e6c8f43f7d13a1b887ff26d9a30f77cf65dd3b6f2e9f7fe36c8b6e83003 App.test.js
- ├── 4c605c6ef280b4ed5657fe97ba5b6106b10c4de02a40ae8c8907683129156efd setupTests.js
- ├── 6b3fce8f2dad7e803418edd8dfc807b0252705c11ec77114498b01766102e849 App.test.js
- ├── 700a582408cbda7ee79723b3969b8d10d67871ea31bb17c8ca3c0d94b481aa8c setupTests.js
- ├── 72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d act.js
- ├── 75f9f99295f86de85a8a2e4d73ed569bdb14a56a33d8240c72084f11752b207e setupTests.js
- ├── 785f65f1853a08b0e86db5638fbd76e8cad5fe1359655716166a76035261c0be error.js
- ├── 7b718a46ae4de09ed4f2513df6e989afe1fbb1a0f59511a4689fac5e1745547d setupTests.js
- ├── 7f8bb754f84a06b3e3617dd1138f07a918d11717cc63acaef8eb5c6d10101377 serviceChecker.js
- ├── 845d7978682fa19161281a35b62f4c447c477082a765d6fedb219877d0c90f31 configurationR.js
- ├── 9867f99a66e64f6bce0cfca18b124194a683b8e4cb0ced44f7cb09386e1b528d configurationR.js
- ├── a2f8de3c5f5f6ecbf29c15afd43a7c13a5bf60023ecb371d39bcca6ceef1d2b7 next.setup.js
- ├── b833f40b2f3439f317cf95980b29bddd2245d2acc2d5c11e9690dd2fa4289585 setupTests.js
- ├── d8f065d264b1112d6ee3cf34979289e89d9dcb30d2a3bd78cc797a81d3d56f56 setupTests.js
- ├── de42155e14a3c9c4d919316d6ba830229533de5063fcd110f53e2395ef3aa77a serviceWorker.js
- └── fc9bb03998a89524ce5a0f859feb45806983aa4feb5f4d436107198ca869ff6f setupTests.js
- BEAVERTAIL DLLs Downloaded
- ├── 2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44 store8.node
- ├── c5a73896dc628c23a0b6210f50019445e2b8bfc9770f4c81e1fed097f02dfade store8.node
- └── da6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc store8.node
- BEAVERTAIL ARCHIVE FILES
- ├── 104926c2c937b4597ea3493bccb7683ae812ef3c62c93a8fb008cfd64e05df59 sandwich bot (1).zip
- ├── 12c0f44a931b9d0d74a2892565363bedfa13bec8e48ff5cd2352dec968f407ee arb front v2.zip
- ├── 1c905fa3a108f4c9bc0578882ce7af9682760b80af5232f130aa4f6463156b25Shared with you ICO.zip
- ├── 592769457001374fac7a44379282ddf28c2219020c88150e32853f7517896c34 arb.zip
- ├── 61dff5cbad45b4fe0852ac95b96b62918742b9c90dd47c672cbe0d1dafccb6c5 arb front v2.rar
- ├── 6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af african-economy-main.zip
- ├── 709820850127201a17caab273e01bb36ce185b4c4f68cd1099110bb193c84c42 Solbots-Template.zip
- ├── 9ae24a1912e4b0bab76ae97484b62ea22bdc27b7ea3e6472f18bf04ca66c87de.zip
- ├── b5f151f0a4288e148fd10e19c78399f5b7bdff2ad66940fadd20d6eae4b7518b MoonShield.zip
- ├── c8c11f9b308ea5983eebd8a414684021cc4cc1f67e7398ff967a18ae202fb457 RockBlocks-main.zip
- ├── ceb59dbaf58a8de02f9d5e9b497321db0a19b7db4affd5b8d1a7e40d62775f96.pack
- ├── db6e75987cabdbfc21d0fdcb1cdae9887c492cab2b2ff1e529601a34a2abfd99 dapp.zip
- ├── e2a940c7d19409e960427749519dc02293abe58a1bef78404a8390f818e40d08 0915.zip
- └── ff620bd560485c13a58a0de941bd3e52943036e6a05306e928f7c626998822fb Freelance 0913.zip
- INVISIBLE_FERRET
└── 92aeea4c32013b935cd8550a082aff1014d0cd2c2b7d861b43a344de83b68129.js
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.