One Article Review
| Source |  Contagio |
|---|---|
| Identifiant | 8575417 |
| Date de publication | 2024-09-12 14:11:31 (vue: 2024-09-12 18:17:15) |
| Titre | 2023-11-23 BEAVERTAIL AND INVISIBLE_FERRET LAZARUS GROUP MALWWare Samples 2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples |
| Texte |  2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don\'t have samples for that one. These campaigns target job-seeking activities to deploy malware and conduct espionage. Contagious Interview (CL-STA-0240):The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.Wagemole (CL-STA-0241):Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea\'s weapons programs and potentially conduct espionage.Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.Download |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | contagious there these 0240 0241 0913 0915 09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86 0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1 10 fake 104926c2c937b4597ea3493bccb7683ae812ef3c62c93a8fb008cfd64e05df59 1123fea9d3a52989ec34041f791045c216d19db69d71e62aa6b24a22d3278ef9 121ca625f582add0527f888bb84b31920183e78c7476228091ff2199ec5d796b 12c0f44a931b9d0d74a2892565363bedfa13bec8e48ff5cd2352dec968f407ee 1b21556fc8ecb9f8169ba0482de857b1f8a5cb120b2f1ac7729febe76f1eea83 1c905fa3a108f4c9bc0578882ce7af9682760b80af5232f130aa4f6463156b25shared 1f9169492d18bffacebe951a22495d5dec81f35b0929da7783b5f094efef7b48 2023 2024 2618a067e976f35f65aee95fecc9a8f52abea2fffd01e001f9865850435694cf 2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44 40645f9052e03fed3a33a7e0f58bc2c263eeae02cbc855b9308511f5dc134797 41a912d72ba9d5db95094be333f79b60cae943a2bd113e20cc171f86ebcb86cf 4c465e6c8f43f7d13a1b887ff26d9a30f77cf65dd3b6f2e9f7fe36c8b6e83003 4c605c6ef280b4ed5657fe97ba5b6106b10c4de02a40ae8c8907683129156efd 592769457001374fac7a44379282ddf28c2219020c88150e32853f7517896c34 61dff5cbad45b4fe0852ac95b96b62918742b9c90dd47c672cbe0d1dafccb6c5 6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af 6b3fce8f2dad7e803418edd8dfc807b0252705c11ec77114498b01766102e849 700a582408cbda7ee79723b3969b8d10d67871ea31bb17c8ca3c0d94b481aa8c 709820850127201a17caab273e01bb36ce185b4c4f68cd1099110bb193c84c42 72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d 75f9f99295f86de85a8a2e4d73ed569bdb14a56a33d8240c72084f11752b207e 785f65f1853a08b0e86db5638fbd76e8cad5fe1359655716166a76035261c0be 7b718a46ae4de09ed4f2513df6e989afe1fbb1a0f59511a4689fac5e1745547d 7f8bb754f84a06b3e3617dd1138f07a918d11717cc63acaef8eb5c6d10101377 845d7978682fa19161281a35b62f4c447c477082a765d6fedb219877d0c90f31 92aeea4c32013b935cd8550a082aff1014d0cd2c2b7d861b43a344de83b68129 9867f99a66e64f6bce0cfca18b124194a683b8e4cb0ced44f7cb09386e1b528d 9ae24a1912e4b0bab76ae97484b62ea22bdc27b7ea3e6472f18bf04ca66c87de :the :wagemole a2f8de3c5f5f6ecbf29c15afd43a7c13a5bf60023ecb371d39bcca6ceef1d2b7 accounts act activities activity actors additional african aim alto app apply arb archive around article avoid b5f151f0a4288e148fd10e19c78399f5b7bdff2ad66940fadd20d6eae4b7518b b833f40b2f3439f317cf95980b29bddd2245d2acc2d5c11e9690dd2fa4289585 backdoor based beavertail beavertail: been blog blogspot bot broken browsercredential c5a73896dc628c23a0b6210f50019445e2b8bfc9770f4c81e1fed097f02dfade c8c11f9b308ea5983eebd8a414684021cc4cc1f67e7398ff967a18ae202fb457 campaign campaigns capabilities ceb59dbaf58a8de02f9d5e9b497321db0a19b7db4affd5b8d1a7e40d62775f96 coding com commands communicates companies conduct config configurationr contagiodump contagiominidump contagious control convincing covering creating cross cryptocurrency cyber d8f065d264b1112d6ee3cf34979289e89d9dcb30d2a3bd78cc797a81d3d56f56 da6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc dapp data db6e75987cabdbfc21d0fdcb1cdae9887c492cab2b2ff1e529601a34a2abfd99 de42155e14a3c9c4d919316d6ba830229533de5063fcd110f53e2395ef3aa77a deploy deployment described detection developers devs dlls documents don download download download downloaded├── dropped due during e2a940c7d19409e960427749519dc02293abe58a1bef78404a8390f818e40d08 economy email employers employment employment: error especially espionage exfiltration exposed fake fc9bb03998a89524ce5a0f859feb45806983aa4feb5f4d436107198ca869ff6f ferret ferret└── ff620bd560485c13a58a0de941bd3e52943036e6a05306e928f7c626998822fb file files├── find fingerprinting formatted found fraudulent freelance from front funnel gain github group hacking has have here host hosting ico identities impersonate including information informationbeavertail infrastructure: interview interviews invisible invisibleferret invisibleferret: involves javascript job jobs js beavertail js malware js └── js ├── json js├── just keylogging korea korean labs lazarus led likely link linked links linksover linux loa |
| Tags | Malware Threat |
| Stories | APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.