A new attack method from lazarus threatens blockchain experts.
The Lazarus group continues to actively develop its cyberattack campaign in 2024, using new and more sophisticated methods. As part of the "Contagious Interview" campaign, attackers inject malware into victims systems under the guise of job interviews. A key element of this attack is to download a Node.js-based project containing a malware called BeaverTail, which then installs the InvisibleFerret Python backdoor.
BeaverTail was first spotted in November 2023 as a JavaScript malware. However, in 2024, researchers discovered a new version for macOS. In addition, a fake Windows video conferencing application disguised as a legitimate program was recently identified, which also turned out to be part of the BeaverTail attack.
The researchers noted that Lazarus is adapting its tools and adding new features to improve the stealth of attacks. For example, it was discovered that the Python version of BeaverTail includes support for remote access via AnyDesk and is used to exfiltrate data via Telegram. The group chooses professionals in the field of blockchain technologies and games as targets, expanding its attacks on repositories related to cryptocurrencies and gaming projects.
There is also an active use of fake video conferencing applications. For example, one such application, named FCCCall, is a copy of a legitimate service, but when installed, it runs malicious processes silently. It collects data from browsers, cryptocurrency wallet extensions, and password managers, and then transmits it to a remote server of the attackers.
The analysis showed that Lazarus injects its tools through code collaboration platforms such as GitHub, hiding malicious scripts inside legitimate projects. These scripts load the core components of BeaverTail, including Python libraries, as well as a set of scripts that the researchers have dubbed CivetQ. These tools allow attackers to access data from browsers, steal information from password managers and cryptocurrency wallets, and maintain control over infected devices through AnyDesk.
The malware is actively developing: there are regular code updates and the addition of new features, such as stealing data from browsers and two-factor authentication applications, expanding the list of targets for attacks, including password managers and Microsoft Sticky Notes.
Lazarus cyberattacks continue to pose a significant threat. Thoroughly inspecting programs and applications before installation, as well as using modern cybersecurity tools such as antivirus programs and digital risk protection solutions, will help reduce the likelihood of successful infiltration of such threats into systems.
Source
The Lazarus group continues to actively develop its cyberattack campaign in 2024, using new and more sophisticated methods. As part of the "Contagious Interview" campaign, attackers inject malware into victims systems under the guise of job interviews. A key element of this attack is to download a Node.js-based project containing a malware called BeaverTail, which then installs the InvisibleFerret Python backdoor.
BeaverTail was first spotted in November 2023 as a JavaScript malware. However, in 2024, researchers discovered a new version for macOS. In addition, a fake Windows video conferencing application disguised as a legitimate program was recently identified, which also turned out to be part of the BeaverTail attack.
The researchers noted that Lazarus is adapting its tools and adding new features to improve the stealth of attacks. For example, it was discovered that the Python version of BeaverTail includes support for remote access via AnyDesk and is used to exfiltrate data via Telegram. The group chooses professionals in the field of blockchain technologies and games as targets, expanding its attacks on repositories related to cryptocurrencies and gaming projects.
There is also an active use of fake video conferencing applications. For example, one such application, named FCCCall, is a copy of a legitimate service, but when installed, it runs malicious processes silently. It collects data from browsers, cryptocurrency wallet extensions, and password managers, and then transmits it to a remote server of the attackers.
The analysis showed that Lazarus injects its tools through code collaboration platforms such as GitHub, hiding malicious scripts inside legitimate projects. These scripts load the core components of BeaverTail, including Python libraries, as well as a set of scripts that the researchers have dubbed CivetQ. These tools allow attackers to access data from browsers, steal information from password managers and cryptocurrency wallets, and maintain control over infected devices through AnyDesk.
The malware is actively developing: there are regular code updates and the addition of new features, such as stealing data from browsers and two-factor authentication applications, expanding the list of targets for attacks, including password managers and Microsoft Sticky Notes.
Lazarus cyberattacks continue to pose a significant threat. Thoroughly inspecting programs and applications before installation, as well as using modern cybersecurity tools such as antivirus programs and digital risk protection solutions, will help reduce the likelihood of successful infiltration of such threats into systems.
Source
