A new version of the BeaverTail malware targeting tech job seekers through fake recruiters has been identified.
The attack, discovered by Unit 42 and part of the ongoing CL-STA-240 Contagious Interview campaign, exploits job search platforms like LinkedIn and X (formerly Twitter), with attackers posing as employers to infect devices with malware.
Initially reported in November 2023, the campaign has since evolved, with new malware versions surfacing.
Recent discoveries include the BeaverTail downloader, compiled using the cross-platform Qt framework as of July 2024. This allows attackers to deploy malware on both macOS and Windows systems from a single source code.
Additionally, code updates have been made to the InvisibleFerret backdoor, which enables further control of infected devices.
BeaverTail: Distribution and Motives
The BeaverTail malware is distributed through files disguised as legitimate applications, such as MiroTalk and FreeConference, deceiving victims into installing the malicious software.
“After the attacker set up a technical interview online, the attacker convinced the potential victim to execute malicious code,” Unit42 explained. “In [one] case, the potential victim purposefully ran the code in a virtual environment, which eventually connected back to the attacker’s command-and-control (C2) server.”
Once installed, BeaverTail runs in the background, stealing sensitive data like browser passwords and cryptocurrency wallet information.
This aligns with the financial motivations often attributed to North Korean cyber actors, as BeaverTail now targets 13 different cryptocurrency wallet browser extensions – up from nine in its earlier variant.
The attack ends in the delivery of the InvisibleFerret backdoor, which is used for keylogging, file exfiltration and even downloading remote control software like AnyDesk.
“[An] important risk that this campaign poses is potential infiltration of the companies who employ the targeted job seekers. A successful infection on a company-owned endpoint could result in collection and exfiltration of sensitive information,” Unit 42 warned.
The firm also reported that ongoing development of the malware’s code suggests the attackers are actively refining their methods between attacks.
Unit 42 advised that both individuals and organizations should remain vigilant, especially in job recruitment scenarios, to prevent falling victim to such sophisticated social engineering campaigns.