- The IT complexity puzzle and how modernizing IT service management can help CIOs solve it and unlock growth
- First combined AI-RAN network from Nvidia and SoftBank supports inferencing, claims return of $5 for every $1 invested
- 웨이모, 엠마(EMMA) 논문 공개 "멀티모달 모델을 자율 주행 영역으로 확장"
- 네이버 밴드, 미국 월간 활성 사용자 600만 돌파 "3년 만에 2배 성장"
- 칼럼 | 적절한 의도와 잘못된 주체…오픈AI '심플QA'의 한계
New BeaverTail Malware Targets Job Seekers via Fake Recruiters
A new version of the BeaverTail malware targeting tech job seekers through fake recruiters has been identified.
The attack, discovered by Unit 42 and part of the ongoing CL-STA-240 Contagious Interview campaign, exploits job search platforms like LinkedIn and X (formerly Twitter), with attackers posing as employers to infect devices with malware.
Initially reported in November 2023, the campaign has since evolved, with new malware versions surfacing.
Recent discoveries include the BeaverTail downloader, compiled using the cross-platform Qt framework as of July 2024. This allows attackers to deploy malware on both macOS and Windows systems from a single source code.
Additionally, code updates have been made to the InvisibleFerret backdoor, which enables further control of infected devices.
BeaverTail: Distribution and Motives
The BeaverTail malware is distributed through files disguised as legitimate applications, such as MiroTalk and FreeConference, deceiving victims into installing the malicious software.
“After the attacker set up a technical interview online, the attacker convinced the potential victim to execute malicious code,” Unit42 explained. “In [one] case, the potential victim purposefully ran the code in a virtual environment, which eventually connected back to the attacker’s command-and-control (C2) server.”
Once installed, BeaverTail runs in the background, stealing sensitive data like browser passwords and cryptocurrency wallet information.
This aligns with the financial motivations often attributed to North Korean cyber actors, as BeaverTail now targets 13 different cryptocurrency wallet browser extensions – up from nine in its earlier variant.
The attack ends in the delivery of the InvisibleFerret backdoor, which is used for keylogging, file exfiltration and even downloading remote control software like AnyDesk.
“[An] important risk that this campaign poses is potential infiltration of the companies who employ the targeted job seekers. A successful infection on a company-owned endpoint could result in collection and exfiltration of sensitive information,” Unit 42 warned.
The firm also reported that ongoing development of the malware’s code suggests the attackers are actively refining their methods between attacks.
Unit 42 advised that both individuals and organizations should remain vigilant, especially in job recruitment scenarios, to prevent falling victim to such sophisticated social engineering campaigns.
