- Ecco come l’AI aggiunge complessità alla cybersicurezza e alle frodi
- The threat of phishing attacks and law enforcement’s role (Part 1)
- 지멘스-액센추어, 제조업 혁신 위한 공동 그룹 출범··· "전문가 7,000명 고용"
- Potential Nvidia chip shortage looms as Chinese customers rush to beat US sales ban
- These tech markets are taking the brunt of the new US tariffs - what that means for you
New BeaverTail Malware Targets Job Seekers via Fake Recruiters
A new version of the BeaverTail malware targeting tech job seekers through fake recruiters has been identified.
The attack, discovered by Unit 42 and part of the ongoing CL-STA-240 Contagious Interview campaign, exploits job search platforms like LinkedIn and X (formerly Twitter), with attackers posing as employers to infect devices with malware.
Initially reported in November 2023, the campaign has since evolved, with new malware versions surfacing.
Recent discoveries include the BeaverTail downloader, compiled using the cross-platform Qt framework as of July 2024. This allows attackers to deploy malware on both macOS and Windows systems from a single source code.
Additionally, code updates have been made to the InvisibleFerret backdoor, which enables further control of infected devices.
BeaverTail: Distribution and Motives
The BeaverTail malware is distributed through files disguised as legitimate applications, such as MiroTalk and FreeConference, deceiving victims into installing the malicious software.
“After the attacker set up a technical interview online, the attacker convinced the potential victim to execute malicious code,” Unit42 explained. “In [one] case, the potential victim purposefully ran the code in a virtual environment, which eventually connected back to the attacker’s command-and-control (C2) server.”
Once installed, BeaverTail runs in the background, stealing sensitive data like browser passwords and cryptocurrency wallet information.
This aligns with the financial motivations often attributed to North Korean cyber actors, as BeaverTail now targets 13 different cryptocurrency wallet browser extensions – up from nine in its earlier variant.
The attack ends in the delivery of the InvisibleFerret backdoor, which is used for keylogging, file exfiltration and even downloading remote control software like AnyDesk.
“[An] important risk that this campaign poses is potential infiltration of the companies who employ the targeted job seekers. A successful infection on a company-owned endpoint could result in collection and exfiltration of sensitive information,” Unit 42 warned.
The firm also reported that ongoing development of the malware’s code suggests the attackers are actively refining their methods between attacks.
Unit 42 advised that both individuals and organizations should remain vigilant, especially in job recruitment scenarios, to prevent falling victim to such sophisticated social engineering campaigns.
