Recent observations highlight a rise in North Korean cyber activities involving fake job interviews used by the Lazarus Group to distribute various malware types, particularly targeting technology, finance, and cryptocurrency sectors. Notably, the Python-based malware InvisibleFerret poses significant threats through reconnaissance, data theft, and persistent access. Affected: technology sector, financial sector, cryptocurrency sector
Keypoints :
- North Korean Lazarus Group employs fake job interviews as a tactic for cyber intrusions.
- The malware distributed includes QRLog, Docks/RustDoor, BeaverTail, and InvisibleFerret.
- InvisibleFerret is a complex Python-based backdoor with over 100 functions.
- Key capabilities of InvisibleFerret include reconnaissance and data exfiltration.
- Targets specifically include sensitive files, source code, and cryptocurrency wallets.
- Exfiltration techniques involve compressing and encrypting files with weak passwords.
- Malicious NPM module BeaverTail acts as the initial stage leading to InvisibleFerret deployment.
- ANY.RUN sandbox provides analysis of InvisibleFerret’s behaviors and actions in real-time.
- The malware’s network requests blend malicious and legitimate traffic, indicating its stealthy operational methods.
- Understanding tactics like T1016 (System Network Configuration Discovery) helps identify and combat such threats.
MITRE Techniques :
- T1016 – System Network Configuration Discovery: InvisibleFerret queries services like ip-api.com to gather geolocation and system information.
- Data Exfiltration: Extracts sensitive files and browser data including cookies and saved passwords.
Indicator of Compromise :
- No IoC found