Beavertail

BeaverTail is a harmful malware strain developed by North Korean state-sponsored hackers, specifically designed to exploit macOS users. The cybercriminals have been found spreading this new variant through a malicious version of the video-calling service Microtalk. These threat actors often masquerade as recruiters, luring victims into downloading the infected Microtalk software under the guise of participating in a job interview. This strategy has been well-documented, with North Korea's hackers known for targeting unsuspecting individuals with fake job postings. Once inside a victim's device, BeaverTail proceeds to steal data and deploy additional malicious payloads, including another piece of malware known as InvisibleFerret. This information was made public by cybersecurity researcher Patrick Wardle, who detailed the operation in his online publication. Post-publication, there has been an observed increase in activity from these fake recruiters and updates to the BeaverTail downloader and InvisibleFerret backdoor code, suggesting that the campaign is still ongoing. The execution, detection, and prevention of both BeaverTail and InvisibleFerret have been documented on Cortex XDR for both macOS and Windows platforms. This includes IP addresses for BeaverTail & InvisibleFerret C2 servers, SHA256 hashes for BeaverTail - Windows EXE files, installers, and macOS Mach-O executable file, as well as BeaverTail Installer - macOS DMG disk image. It is evident that while BeaverTail primarily targets macOS users, the malware can also affect Windows users, emphasizing the need for comprehensive cybersecurity measures across all platforms.