In the ever-evolving landscape of cybersecurity threats, North Korean hackers have once again demonstrated their ingenuity by updating the notorious BeaverTail malware to target macOS users. This latest development, uncovered by cybersecurity researchers, highlights the persistent and adaptive nature of cyber espionage campaigns linked to the Democratic People’s Republic of Korea (DPRK).
The Discovery
The latest variant of BeaverTail was identified in an Apple macOS disk image (DMG) file named “MiroTalk.dmg.” At first glance, this file appears to be a legitimate version of MiroTalk, a known video call service. However, upon closer inspection, it was revealed to be a malicious conduit for delivering BeaverTail, a stealer malware. Security researcher Patrick Wardle was among the first to identify and report this deceptive tactic.
BeaverTail: A Closer Look
BeaverTail, a JavaScript-based stealer malware, was first documented by Palo Alto Networks’ Unit 42 in November 2023. The malware was initially part of a campaign called Contagious Interview, which aimed to infect software developers by posing as job interview processes. Another cybersecurity firm, Securonix, has been tracking similar activities under the moniker DEV#POPPER.
The primary function of BeaverTail is to siphon sensitive information from web browsers, cryptocurrency wallets, and even the iCloud Keychain. Additionally, it has the capability to deliver further malicious payloads, such as InvisibleFerret. InvisibleFerret is a Python backdoor responsible for downloading and installing AnyDesk for persistent remote access, thereby granting attackers prolonged control over the compromised systems.
New Distribution Tactics
Historically, BeaverTail has been distributed through fake npm packages hosted on platforms like GitHub and the npm package registry. The recent discovery marks a shift in the malware’s distribution vector. According to Wardle, the DPRK hackers likely invited potential victims to join a hiring meeting via a malicious version of MiroTalk hosted on a compromised site, mirotalk[.]net.
An in-depth analysis of the unsigned DMG file revealed that it is designed to steal data from web browsers such as Google Chrome, Brave, and Opera, as well as from cryptocurrency wallets and iCloud Keychain. Moreover, it can download and execute additional Python scripts from a remote server, further enhancing its malicious capabilities.
Wardle noted that while the techniques employed by North Korean hackers often rely heavily on social engineering, their adaptability and persistence in targeting macOS users are noteworthy. “The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often relies on social engineering,” Wardle said.
Related Malicious Activities
This revelation comes on the heels of another significant finding by Phylum, a cybersecurity firm that uncovered a new malicious npm package named call-blockflow. This package, almost identical to the legitimate call-bind, incorporates complex functionality designed to download a remote binary file while evading detection. The package, suspected to be the work of the North Korea-linked Lazarus Group, was taken down about an hour and a half after its upload to npm but not before it attracted 18 downloads.
Phylum’s analysis suggests that this activity, which involves over three dozen malicious packages, has been ongoing since September 2023. These packages are designed to download a remote file, decrypt it, execute a function from it, and then meticulously cover their tracks by deleting and renaming files, leaving the package directory in a seemingly benign state after installation.
Broader Implications
These findings coincide with a warning from JPCERT/CC, the Japan Computer Emergency Response Team Coordination Center, about cyberattacks orchestrated by the North Korean Kimsuky group targeting Japanese organizations. The Kimsuky group’s attacks typically begin with phishing messages impersonating security and diplomatic organizations. These messages contain a malicious executable that, once opened, downloads a Visual Basic Script (VBS). The VBS then retrieves a PowerShell script to gather user account, system, and network information, as well as enumerate files and processes. This collected information is exfiltrated to a command-and-control (C2) server, which responds with a second VBS file to fetch and run a PowerShell-based keylogger named InfoKey.
JPCERT/CC has cautioned that while there have been few reports of Kimsuky targeting Japanese organizations, there is a significant possibility that Japan is also being actively targeted.
Conclusion
The continuous evolution of BeaverTail and the emergence of new malicious packages like call-blockflow underscore the relentless efforts of North Korean hackers to infiltrate systems and steal sensitive information. As these cyber threats grow more sophisticated, it becomes increasingly crucial for organizations and individuals to remain vigilant, keep their systems updated, and employ robust cybersecurity measures.
Follow us on 
(Twitter) for real time updates and exclusive content.
Pingback: Critical Vulnerability in Cisco Smart Software Manager On-Prem