Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how threat actors are leveraging fake recruitment emails to distribute malicious payloads.

The attackers impersonated Dev.to, a prominent developer community, and lured victims with promises of lucrative job offers.

Instead of attaching malware directly to emails, they provided a BitBucket link containing a seemingly legitimate project.

Hidden within the project were two dangerous malware strains: BeaverTail, disguised as “tailwind.config.js,” and a downloader malware named “car.dll”.

This attack highlights the increasing sophistication of social engineering tactics.

By mimicking trusted platforms and offering job opportunities, attackers bypass traditional security measures and exploit human trust.

Malware Analysis: BeaverTail and Tropidoor

The JavaScript-based BeaverTail malware is known for its dual role as an information stealer and downloader.

It targets web browsers to extract credentials, cryptocurrency wallet data, and other sensitive information.

Additionally, it downloads secondary payloads like InvisibleFerret, a backdoor for further exploitation.

BeaverTail’s obfuscation techniques make detection challenging, while its cross-platform compatibility enables it to target Windows, macOS, and Linux systems.

In this specific case, BeaverTail was executed via the downloader “car.dll.”

Logs revealed its use of tools like Curl to download additional files (“p.zip” and “p2.zip”) from attacker-controlled servers.

These behaviors align with previous reports linking BeaverTail to North Korean threat actors.

Tropidoor: A Memory-Resident Backdoor

Tropidoor operates in memory as a sophisticated backdoor. Upon execution, it decrypts itself and connects to multiple command-and-control (C&C) servers.

It collects system information, encrypts it with an RSA public key (encoded in Base64), and transmits it to the C&C server using parameters like “tropi2p” and “gumi.”

The malware can execute various commands, including file manipulation, process termination, data exfiltration, and even injecting downloaded payloads into other processes.

One notable feature of Tropidoor is command #34, which allows attackers to execute basic Windows commands such as “schtasks” and “ping.”

According to the Report, this technique mirrors behaviors seen in LightlessCan malware associated with the Lazarus Group.

Indicators of Compromise (IoCs)

File Hashes (MD5):

• 3aed5502118eb9b8c9f8a779d4b09e11
• 84d25292717671610c936bca7f0626f5
• 94ef379e332f3a120ab16154a7ee7a00
• b29ddcc9affdd56a520f23a61b670134

Malicious URLs:

• http[:]//103[.]35[.]190[.]170/Proxy[.]php
• https[:]//45[.]8[.]146[.]93/proxy/Proxy[.]php

IP Addresses:

• 135[.]181[.]242[.]24
• 191[.]96[.]31[.]38

These IoCs underline the global reach of this campaign and its association with North Korean cyber operations.

This attack is part of a broader trend where North Korean threat actors target individuals through phishing campaigns disguised as job recruitment efforts.

By exploiting platforms like LinkedIn or developer communities such as Dev.to, they aim to infiltrate not just individuals but also their organizations.

The financial motives are evident in their focus on cryptocurrency wallets and browser-stored credentials.

To mitigate such threats:

1. Avoid opening unsolicited emails or clicking on links from unknown sources.
2. Verify the authenticity of recruitment offers directly with the organization.
3. Keep antivirus software updated to detect evolving threats like BeaverTail.
4. Monitor network traffic for suspicious connections to known malicious IPs.

As attackers continue refining their methods, vigilance remains critical for both individuals and organizations alike.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!