Cyber Security News

Lazarus Hackers Attacking Job-Seekers to Deliver Javascript Malware

The Lazarus Group is one of the most notorious hacker groups linked to the North Korean government. The group is known for its cyberattacks and has been active since 2010. 

However, Group-IB cyber security researchers recently discovered that Lazarus was actively intensifying its illicit activities in 2024.

Researchers have also detected that threat actors are actively abusing the Contagious Interview campaigns using BeaverTail malware and an InvisibleFerret backdoor. 

Initially, BeaverTail was a JavaScript threat that now exists in macOS and Windows variants, and a Python version has also been discovered.

Besides this, new malicious repositories that emerged on code-sharing platforms were also linked to Lazarus.

Lazarus Hackers Attacking Job-Seekers

Lazarus has significantly evolved its tactics in targeting blockchain professionals. 

Not only that even, they have also expanded beyond LinkedIn to the following types of platforms to initiate contact and move conversations to Telegram:-

  • WWR
  • Moonlight
  • Upwork

The group’s primary attack vectors now include fake video conferencing applications and trojanized Node.js projects. 

Chain of events leading to compromise (Source – Group-IB)

The group’s primary malware is “BeaverTail,” which disguises itself as FCCCall, a Qt6-based application that appears legitimate, but this enables threat actors to steal browser credentials and cryptocurrency wallet data. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Besides this, the BeaverTail malware creates a hidden .n3 folder, temporarily storing stolen information before sending it to a command-and-control (C2) server using multipart/form-data MIME type.

Components of InvisibleFerret (Source – Group-IB)

Lazarus has further implemented a cross-platform backdoor written in Python called “InvisibleFerret” that enables the user to control the target through remote access, log keystrokes, and steal browser data, Group-IB said.

The group has improved the methods of JavaScript code obfuscation hidden in library files, such as pushing code to the far right or many blank spaces away from the main content.

Components of CivetQ (Source – Group-IB)

They have added intermediate systems for the reach of the payload and a collection of configurable software known as CivetQ, which consists of Python scripts that perform different malicious activities.

Lazarus aims at 74 more extensions, including authenticators and password managers, which were not on the previous target list.

New persistence mechanisms have been introduced, AnyDesk has been configured for unattended access, and data exfiltration methods, including FTP and Telegram, have been integrated.

The data is sent out after being zipped and xor-encoded using a password.

These complex strategies highlight the operational objectives of cryptocurrency theft and sustained access to the Lazarus Group’s systems, which makes the group more dangerous than the majority of cyber threats today.

Recommendations

Here below we have mentioned all the recommendations:-

  • Be cautious with recruiter tasks or apps, especially .exe files.
  • Verify companies and recruiters before engaging.
  • Avoid suspicious email links or attachments.
  • Scan files with updated antivirus software.
  • Use robust threat intelligence solutions for better security.
  • Implement Digital Risk Protection against brand impersonation.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

8 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

8 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

8 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

8 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago