Detecting and responding to InvisibleFerret with Wazuh
Contents
InvisibleFerret is a Python-based backdoor malware that affects both Windows and Linux endpoints. It is used in targeted campaigns by North Korean threat actors, particularly the notorious Lazarus Group. This malware is deployed through advanced social engineering tactics, often disguised as part of legitimate job recruitment processes. Threat actors impersonate recruiters, luring victims, primarily professionals in the technology, financial, and cryptocurrency sectors, into downloading malicious files. These files are cleverly masked as coding challenges, video conferencing software, or dependency packages, making them appear harmless and credible.
InvisibleFerret is delivered as a second-stage payload by BeaverTail, a JavaScript-based loader and stealer. Once installed, it exhibits a wide range of malicious capabilities, including geolocation tracking, file exfiltration via FTP and Telegram Bots, keylogging, and clipboard monitoring.
In this blog post, we demonstrate how Wazuh can be configured to detect and mitigate the threat posed by InvisibleFerret on Linux endpoints.
InvisibleFerret malware behavior
Below are some of …
InvisibleFerret is delivered as a second-stage payload by BeaverTail, a JavaScript-based loader and stealer. Once installed, it exhibits a wide range of malicious capabilities, including geolocation tracking, file exfiltration via FTP and Telegram Bots, keylogging, and clipboard monitoring.
In this blog post, we demonstrate how Wazuh can be configured to detect and mitigate the threat posed by InvisibleFerret on Linux endpoints.
InvisibleFerret malware behavior
Below are some of …