Threat Research

Bored BeaverTail & InvisibleFerret Yacht Club – The Lazarus Lure, Part 2

Securonix

Summary:

eSentire’s Threat Response Unit (TRU) recently addressed a significant cybersecurity incident involving the BeaverTail and InvisibleFerret malware. This attack targeted a software developer who inadvertently downloaded malicious code from a BitBucket repository. The malware executed a series of harmful actions, including stealing browser credentials and sensitive information. eSentire’s SOC analysts quickly isolated the affected host and provided recommendations for enhanced security measures.

Keypoints:

  • eSentire operates 24/7 SOCs with elite threat hunters and cyber analysts.
  • Recent threats include the Kaseya MSP breach and the more_eggs malware.
  • The TRU team investigates and responds to confirmed threats, providing actionable insights.
  • In October 2024, a software developer downloaded a JavaScript project containing BeaverTail malware.
  • The malware executed malicious JavaScript files and deployed InvisibleFerret malware.
  • Initial access was gained through a ZIP file downloaded from a BitBucket project.
  • The attack was linked to North Korean threat actors targeting software developers.
  • Recommendations include implementing EDR solutions and security awareness training.

MITRE Techniques

  • Initial Access (T1071): Malicious ZIP file downloaded from a BitBucket project.
  • Execution (T1203): Execution of malicious JavaScript files via Node Package Manager (NPM).
  • Credential Access (T1003): Stealing browser credentials through the InvisibleFerret malware.
  • Exfiltration (T1041): Uploading sensitive files to a command and control server.
  • Command and Control (T1071): Utilizing a command and control server for communication with compromised systems.

IoC:

  • [domain] freelancermap.com
  • [domain] bitbucket.org
  • [ip address] 185.235.241.208
  • [file name] task-space-eshop-aeea6cc51a7c.zip
  • [file name] .sysinfo
  • [file name] error.js
  • [file name] server.js
  • [file name] pay_campaignid_subid.py
  • [file name] brow_campaignid_subid.py
  • [file name] mlip_campaignid_subid.py

Full Research: https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2

Tags: EDR, BROWSER, INITIAL ACCESS, CREDENTIAL, BREACH, SOC, full, EXFILTRATION