Researchers have identified a new tool that ttackers affiliated with the North Korean government have developed that is designed to look like a legitimate browser-based video call application and can be used to exfiltrate information from infected machines.
The tool, which was uploaded to the VirusTotal service recently, is embedded in a macOS disk image that mimics the legitimate MiroTalk service. The file was hosted on a site posing as the legitimate MiroTalk site, but the malicious one is offline at the moment. Mac security researcher Patrick Wardle analyzed the file and its behavior and found that it is likely a variant of an older piece of malware known as BeaverTail that Palo Alto Networks researchers identified in November. Although the older BeaverTail is Java-Script-based and the newer version is a native Mach-O executable, Wardle said they share similarities and both communicate with the same API endpoints.
MiroTalk is a free video call service that is browser-based and does not require an app download.
BeaverTail is essentially an infostealer and the DPRK threat actors have used it in several campaigns designed to ensnare job-seekers in various ways. The campaigns typically lure victims with potential interviews or other recruiting-related topics. Once it’s on a new machine, BeaverTail performs a few basic checks and then eventually downloads a secondary tool called InvisibleFerret.
“As an information stealer, BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web browsers. As a loader, BeaverTail retrieves and runs the next stage of malware, InvisibleFerret,” the Palo Alto analysis says.
“The BeaverTail JavaScript file inside an NPM package is heavily obfuscated to evade detection. The threat actor might upload an entire malicious NPM package to GitHub or they might also inject BeaverTail code into other developer’s legitimate NPM projects.”
The newer, native version of BeaverTail that Wardle analyzed exhibits similar behavior. InvisibleFerret is a backdoor written in Python that includes the main malicious capabilities, including keylogging and data exfiltration.
“Specifically from the symbol’s output we see methods names (fileUpload, pDownFinished, run) that reveal likely exfiltration and download & execute capabilities,” Wardle said.
“And from embedded strings we see both the address of the likely command & control server, 95.164.17.24:1224 and also hints as to the type of information the malware collect for exfiltration. Specifically browser extension IDs of popular crypto-currency wallets, paths to user browsers’ data, and the macOS keychain. Other strings are related to the download and execution of additional payloads which appear to be malicious python scripts.”
Among the files that the malware will exfiltrate if they’re present on the machine are keychains and local state files for various browsers, including Chrome, Opera, and Brave.
“The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive),” Wardle said.