Thursday, December 5, 2024
Homecyber securityBeaverTail Malware Attacking Windows Users Via Weaponized Games

BeaverTail Malware Attacking Windows Users Via Weaponized Games

Published on

SIEM as a Service

Researchers uncovered a new malware campaign dubbed BeaverTail, a North Korean cyber espionage malware family primarily focusing on job seekers.

Initially identified as a JavaScript-based info stealer, it has since morphed into a native macOS version that pretends to be legitimate software like the MiroTalk video call service.

This malware is designed to steal confidential information from contaminated computers, including browser data and cryptocurrency wallets.

- Advertisement - SIEM as a Service

Cybersecurity researchers at Group-IB Threat Intelligence recently discovered that BeaverTail malware has been attacking Windows users via weaponized games.

Technical Analysis

Two new developments in the BeaverTail malware family were discovered by Group-IB’s cybersecurity specialists.

Firstly, they detected a new Windows version of BeaverTail, expanding the malware’s reach beyond its previous platforms. Secondly, and perhaps more alarmingly, they uncovered an evolved JavaScript variant of BeaverTail. 

This version circulates through innocent titles. It is built on ReactJS, a widely used JavaScript library for popular games.

These malicious applications are hidden inside NPM (Node Package Manager) packages and can easily be included in multiple development projects.

Through this sophisticated exploit, the Lazarus group has shown to be adaptive enough in their attempt to attack different operating systems and dev environments.

BeaverTail malware for Windows has been seen to disguise itself as a genuine conferencing app FCCCall.exe.

This is similar to an earlier Lazarus operation where the group trojanized the MiroTalk application.

Moreover, this most recent campaign was likely conducted between late July and early August, showing the group’s susceptibility to leveraging communication software in targeting host devices.

Two primary objectives remain the same for all BeaverTail versions, fetching cryptocurrency wallet information and downloading and executing the next-step payload, InvisibleFerret.

However, the malware’s developers broadened its scope as shown by the increasing number of browser extensions it targets.

BeaverTail now compromises a broader range of browser extensions including those previously mentioned such as kaikas, rabby, argent X, and Exodus web3 which suggests that its operators intend to capture a greater volume of victims’ cryptocurrency assets.

IoCs

  • 185.235.241[.]208:1224
  • 95.164.17[.]24:1224
  • dc77044fe8d35882015eaa99ca31f826
  • b9693b6541a22d01b100b867375279e6
  • 8ebca0b7ef7dbfc14da3ee39f478e880
  • ed60b3913e6694f4a0ed2fe25551bd1f

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...