DPRK Threat Actors Target Tech Job Seekers with BeaverTail and InvisibleFerret Malware

    Thursday, October 10, 2024 In: Threat Research Print

    Date: 10/10/2024

    Severity: Medium

    Summary

    The article "Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware" discusses ongoing activities from North Korean threat actors, identified as part of the CL-STA-240 Contagious Interview campaign. Posing as recruiters, they target tech industry job seekers to install malware on their devices. Since its initial report in November 2023, the campaign has seen new online activity and updates to the BeaverTail downloader and InvisibleFerret backdoor. Notably, the BeaverTail malware has been compiled using the Qt framework for both macOS and Windows, indicating a broadening of their targeting tactics.

    Indicators of Compromise (IOC) List

    IP Address

    185.235.241.208

    95.164.17.24

    Hash

    e0568196f1494137a5bbee897a37bc4fe15f87175b57a30403450a88486190c4

d0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999

9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cf

589e22005aa166b207a7aa7384dd3c7f90b71775688e587108801c3894a43358

486a9a79bbb81abee2e81679ace6267c3f3e37d9b8c8074f9ec7aebc9be75cdd

07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287

de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170

000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923

4343fa4e313a61f10de08fa5b1b8acb98589faf5739ab5b606f540983b630f79

9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c

fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0

1c218d15b35b79d762b966db8bc2ca90fc62a95903bd78ac85648de1d828dbce

6e065f1e4d1d8232da5de830d270a13fff8284a91e81c060377ebe66aa75d81d

0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132

10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59

34170bda5eb84d737577096438a776a968cb36eff88817f12317edcb9d144b35

9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4

ad8a819d7b68905fa6a8425295755c329504dd0bb48b2fba8dd17e54562b0c6f

8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dc

0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd

b9be6b0ac414ac2a033c17c3ac649417e97e5d0580db796a8ff55169299de50e

5e820d8b2bd139b3018574c349cd48ce77e7b31cf85e9462712167fcab99b30a

cde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfc

f08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7

8563eecbc85a0c43b689b9d9f31fe5977e630c276dee0d7dbfe1a47ab1ab4550

36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670

d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6

a69e89a62203b8f2f89ec12a13e46c71b6b4d505deb19527ff73fd002df9bc6b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("185.235.241.208","95.164.17.24") or ipaddress IN ("185.235.241.208","95.164.17.24") or publicipaddress IN ("185.235.241.208","95.164.17.24") or srcipaddress IN ("185.235.241.208","95.164.17.24")

    Detection Query 2

    sha256hash IN ("e0568196f1494137a5bbee897a37bc4fe15f87175b57a30403450a88486190c4","d0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999","9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cf","589e22005aa166b207a7aa7384dd3c7f90b71775688e587108801c3894a43358","486a9a79bbb81abee2e81679ace6267c3f3e37d9b8c8074f9ec7aebc9be75cdd","07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287","de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170","000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923","4343fa4e313a61f10de08fa5b1b8acb98589faf5739ab5b606f540983b630f79","9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c","fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0","1c218d15b35b79d762b966db8bc2ca90fc62a95903bd78ac85648de1d828dbce","6e065f1e4d1d8232da5de830d270a13fff8284a91e81c060377ebe66aa75d81d","0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132","10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59","34170bda5eb84d737577096438a776a968cb36eff88817f12317edcb9d144b35","9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4","ad8a819d7b68905fa6a8425295755c329504dd0bb48b2fba8dd17e54562b0c6f","8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dc","0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd","b9be6b0ac414ac2a033c17c3ac649417e97e5d0580db796a8ff55169299de50e","5e820d8b2bd139b3018574c349cd48ce77e7b31cf85e9462712167fcab99b30a","cde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfc","f08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7","8563eecbc85a0c43b689b9d9f31fe5977e630c276dee0d7dbfe1a47ab1ab4550","36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670","d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6","a69e89a62203b8f2f89ec12a13e46c71b6b4d505deb19527ff73fd002df9bc6b")

    Reference: 

    https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/


    Tags

    MalwareAPTInformation Technology

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.