Group-IB researchers noticed a Windows version of BeaverTail, which was attributed to Lazarus
Contents
Group-IB researchers noticed a Windows version of #BeaverTail, which was attributed to #Lazarus. We also discovered that the #javascript version of BeaverTail is now being distributed through trojanised games built with ReactJS and distributed as an NPM-based package.
For Windows BeaverTail appears as a trojanised conferencing app named FCCCall.exe. This aligns with previous pattern, in which they #trojanised the MiroTalk application. This activity should have taken place in late July to early August.
The main functionality of Beavertail doesn't differ much from its variants - exfiltrating #crypto wallets information and retrieves and executes the next stage InvisibleFerret. They increased the number of targeted browser extensions by adding kaikas, rabby, argent X, exodus web3
#beavertail indicators:
185.235.241[.]208:1224
95.164.17[.]24:1224
dc77044fe8d35882015eaa99ca31f826
b9693b6541a22d01b100b867375279e6
8ebca0b7ef7dbfc14da3ee39f478e880
ed60b3913e6694f4a0ed2fe25551bd1f
For Windows BeaverTail appears as a trojanised conferencing app named FCCCall.exe. This aligns with previous pattern, in which they #trojanised the MiroTalk application. This activity should have taken place in late July to early August.
The main functionality of Beavertail doesn't differ much from its variants - exfiltrating #crypto wallets information and retrieves and executes the next stage InvisibleFerret. They increased the number of targeted browser extensions by adding kaikas, rabby, argent X, exodus web3
#beavertail indicators:
185.235.241[.]208:1224
95.164.17[.]24:1224
dc77044fe8d35882015eaa99ca31f826
b9693b6541a22d01b100b867375279e6
8ebca0b7ef7dbfc14da3ee39f478e880
ed60b3913e6694f4a0ed2fe25551bd1f
IoC
185.235.241.208:1224
95.164.17.24:1224
dc77044fe8d35882015eaa99ca31f826
b9693b6541a22d01b100b867375279e6
8ebca0b7ef7dbfc14da3ee39f478e880
ed60b3913e6694f4a0ed2fe25551bd1f
95.164.17.24:1224
dc77044fe8d35882015eaa99ca31f826
b9693b6541a22d01b100b867375279e6
8ebca0b7ef7dbfc14da3ee39f478e880
ed60b3913e6694f4a0ed2fe25551bd1f