North Korean threat actors target software developers with weaponized Javascript projects that include BeaverTail malware deployed via NPM packages.
It is intended to steal information and load additional stages of malware, notably a multi-stage Python-based backdoor called InvisibleFerret.
The InvisibleFerret backdoor logs keystrokes exfiltrates sensitive files and downloads the AnyDesk tool, which allows attackers to remotely manage a device. Additionally, the malware steals credit card numbers and browser credentials.
Threat Actors’ Tactics, Techniques, And Procedures (TTPs)
The victim’s ZIP file contained a malicious NPM package that, once installed, executes the “server.js” file defined in the “package.json” and then loads a malicious JavaScript file (error.js).
The “server.js” file serves as a point of entry for the file found in “backend/middlewares/helpers/error.js,” which enables additional malicious actions on the victim’s computer.
The malicious action includes stealing browser login credentials that have been saved; gathering system data; listing cryptocurrency wallet extensions in the targeted browsers; and stealing configuration information from cryptocurrency wallets like Exodus and Solana.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The eSentire Threat Intelligence team identified the heavily obfuscated JavaScript file error.js as a Beavertail malware component.
Once the JavaScript code has loaded, it downloads the InvisibleFerret malware components from a command and control (C2) server. Following that, BeaverTail downloads the initial InvisibleFerret Python script.
“It’s also worth noting that a total of 21 crypto extensions were targeted by the BeaverTail in our observed sample”, researchers said.
The findings are noteworthy and align with the TTPs of the Contagious Interview campaign, which lures software developers with fake jobs.
Recommendations
- Assume that sensitive files, passwords, and keys have been compromised on compromised hosts, and take the necessary steps, including changing passwords and keys.
- Verify that Endpoint Detection and Response (EDR) solutions are installed on every device.
- Employers ought to carry out a Phishing and Security Awareness Training (PSAT) program to alert and educate staff members about new risks in the threat ecosystem.
- Make sure there is a corporate policy in place at your company on the appropriate usage of company devices.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The post North Korean Hackers Attacking Developers With A Weaponized JavaScript Projects appeared first on Cyber Security News.
