InvisibleFerret Malware: Technical Analysis
Contents
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
Recently, during October and November, we observed a rise in North Korean activity employing a well-known and distinctive technique: staging job interview processes to spread multiple malware families.
This signature technique was previously used to distribute QRLog and Docks /RustDoor, and is now delivering BeaverTail and InvisibleFerret. In this first article, we will conduct a technical dissection of the latter.
The Beaver
These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus. By staging fake job interviews, threat actors aim to spread malware disguised either as coding challenges (or their dependencies) or video call software, in a campaign now …
Recently, during October and November, we observed a rise in North Korean activity employing a well-known and distinctive technique: staging job interview processes to spread multiple malware families.
This signature technique was previously used to distribute QRLog and Docks /RustDoor, and is now delivering BeaverTail and InvisibleFerret. In this first article, we will conduct a technical dissection of the latter.
The Beaver
These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus. By staging fake job interviews, threat actors aim to spread malware disguised either as coding challenges (or their dependencies) or video call software, in a campaign now …
IoC
http://147.124.214.129:1244/pdown
http://173.211.106.101:1245/adc
http://http://173.211.106.101:1245/brow
http://173.211.106.101:1245/brow
http://147.124.214.129:1244
http://173.211.106.101:1245/bow
http://http://147.124.214.129:1244/pdown
http://147.124.214.129:1244/keys
http://147.124.214.129
http://http://147.124.214.129:1244/keys
http://http://173.211.106.101:1245/adc
http://173.211.106.101
http://http://173.211.106.101:1245/bow
http://http://173.211.106.101:1245
http://http://147.124.214.129:1244
http://173.211.106.101:1245
173.211.106.101
147.124.214.129
6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0
47830f7007b4317dc8ce1b16f3ae79f9f7e964db456c34e00473fba94bb713eb
http://173.211.106.101:1245/adc
http://http://173.211.106.101:1245/brow
http://173.211.106.101:1245/brow
http://147.124.214.129:1244
http://173.211.106.101:1245/bow
http://http://147.124.214.129:1244/pdown
http://147.124.214.129:1244/keys
http://147.124.214.129
http://http://147.124.214.129:1244/keys
http://http://173.211.106.101:1245/adc
http://173.211.106.101
http://http://173.211.106.101:1245/bow
http://http://173.211.106.101:1245
http://http://147.124.214.129:1244
http://173.211.106.101:1245
173.211.106.101
147.124.214.129
6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0
47830f7007b4317dc8ce1b16f3ae79f9f7e964db456c34e00473fba94bb713eb