BeaverTail and Tropidoor Malware Distributed via Recruitment Emails
Contents
BeaverTail and Tropidoor Malware Distributed via Recruitment Emails
On November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a developer community called Dev.to to distribute malware. [1] In this case, the attacker provided a BitBucket link containing a project, and the victim discovered malicious code within the project and disclosed it to the community. The project contained BeaverTail, a malware disguised as “tailwind.config.js,” and a downloader malware called “car.dll”.
Figure 1. Attack disclosed in the developer community
Although the link is currently unavailable for download, VirusTotal contains compressed files including the “car.dll” downloader and BeaverTail. Analysis based on these files confirmed the execution logs of “car.dll” and the presence of BeaverTail in South Korea. BeaverTail is known to be used by North Korean attackers for information theft and downloading additional payloads.
The “car.dll” downloader is characterized by implementing Windows commands internally, similar to the LightlessCan malware of …
On November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a developer community called Dev.to to distribute malware. [1] In this case, the attacker provided a BitBucket link containing a project, and the victim discovered malicious code within the project and disclosed it to the community. The project contained BeaverTail, a malware disguised as “tailwind.config.js,” and a downloader malware called “car.dll”.
Figure 1. Attack disclosed in the developer community
Although the link is currently unavailable for download, VirusTotal contains compressed files including the “car.dll” downloader and BeaverTail. Analysis based on these files confirmed the execution logs of “car.dll” and the presence of BeaverTail in South Korea. BeaverTail is known to be used by North Korean attackers for information theft and downloading additional payloads.
The “car.dll” downloader is characterized by implementing Windows commands internally, similar to the LightlessCan malware of …