Beavertail

BeaverTail is a sophisticated malware associated with North Korean threat actors. The malicious software is designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. In recent instances, North Korean attackers have been linked to social engineering attacks where they pose as job recruiters. They trick victims into installing what is presented as software for the video-calling service Microtalk but is in fact the macOS BeaverTail malware. This tactic forms part of a wider strategy known as the Contagious Interview campaign. The Contagious Interview campaign's updated tactics, techniques, and procedures (TTPs) have recently been detailed by The Object-See Foundation and GROUP-IB. In this scheme, threat actors set up fake video conferencing websites imitating MiroTalk and FreeConference. Unsuspecting targets are lured into downloading conference call installers embedded with the BeaverTail malware. During these interviews, attackers deliver npm projects (a package manager for the JavaScript programming language) with malicious content, leading to further BeaverTail malware infections. Two pieces of malware are associated with this campaign: the BeaverTail downloader and the InvisibleFerret backdoor. These align with the financial motivations often attributed to North Korean cyber actors. Notably, BeaverTail now targets 13 different cryptocurrency wallet browser extensions, an increase from nine in its earlier variant. Once installed, BeaverTail operates stealthily in the background, pilfering sensitive data like browser passwords and cryptocurrency wallet information, thereby posing a significant threat to personal security and financial assets.