This article discusses a malware distribution incident involving North Korean attackers who impersonated a recruitment email from Dev.to to deploy BeaverTail malware and a downloader named car.dll. The compromised project revealed malicious content, prompting community disclosure. BeaverTail is primarily used for information theft and is often spread through phishing attacks disguised as job offers. Affected: Malware, Cybersecurity, Developer community
Keypoints :
- Threat actors impersonated Dev.to to distribute malware.
- The project file contained two malicious components: BeaverTail and car.dll.
- BeaverTail is used for information theft and downloading additional payloads.
- Attacks mainly targeted users through phishing emails disguised as job offers.
- Malware logs indicate potential operation in South Korea.
- Downloader car.dll employs Windows commands, similar to LightlessCan malware.
- Instructions for communication with C&C servers are detailed.
- Security recommendations include caution with unknown email attachments and updating security software.
MITRE Techniques :
- T1027 – Obfuscated Files or Information: The BeaverTail malware includes obfuscated routines to execute hidden functionalities.
- T1071 – Application Layer Protocol: The malware communicates with its C&C servers using HTTP/HTTPS requests.
- T1086 – PowerShell: The downloader utilizes Windows commands, including those executed through a PowerShell-like environment.
- T1203 – Exploitation for Client Execution: The initial infection vector was through a malicious email attachment aimed at developers.
Indicator of Compromise :
- [MD5] 3aed5502118eb9b8c9f8a779d4b09e11
- [MD5] 84d25292717671610c936bca7f0626f5
- [MD5] 94ef379e332f3a120ab16154a7ee7a00
- [URL] http[:]//103[.]35[.]190[.]170/Proxy[.]php
- [IP] 135[.]181[.]242[.]24
Full Story: https://asec.ahnlab.com/en/87299/
Views: 41