Beware! Malicious Recruitment Emails Deliver BeaverTail and Tropidoor Malware Payloads

Cybersecurity researchers disclosed a concerning malware campaign targeting developers through fake recruitment emails.

Threat actors impersonated the developer community Dev.to and distributed malicious payloads via a BitBucket link.

The attackers lured victims with promises of lucrative job opportunities, such as a “Software Engineer, Full Stack position at AutoSquare.”

Upon accessing the linked project, victims discovered malware embedded within files disguised as legitimate resources.

The malicious components included BeaverTail, a JavaScript-based infostealer masquerading as “tailwind.config.js,” and a downloader malware named car.dll.

BeaverTail: A Versatile Infostealer

BeaverTail is a highly obfuscated JavaScript malware designed for credential theft and downloading additional payloads.

It specifically targets web browsers to extract sensitive information like login credentials and cryptocurrency wallet data.

This malware has been linked to North Korean threat actors, particularly the Lazarus group, known for leveraging phishing attacks disguised as job offers on platforms like LinkedIn.

BeaverTail operates by executing routines that steal information and upload it to command-and-control (C&C) servers.

Additionally, it downloads secondary malware like InvisibleFerret, enhancing its capabilities.

The malware’s obfuscation techniques make it difficult to detect, allowing it to blend seamlessly into legitimate JavaScript files.

In this case, execution logs revealed BeaverTail’s presence in South Korea, indicating its global reach despite originating overseas.

The car.dll downloader facilitates the deployment of Tropidoor, a sophisticated backdoor that operates entirely in memory.

Upon execution, Tropidoor decrypts data and connects to multiple C&C servers.

It collects system information, generates encryption keys using RSA public key cryptography, and transmits this data back to the attacker-controlled servers.

Communication between Tropidoor and C&C servers involves parameters such as “tropi2p” for system info and “gumi” for encrypted keys.

Tropidoor can execute various commands received from C&C servers, including file manipulation, process execution, system information gathering, and even basic Windows commands like “schtasks,” “ping,” and “reg.”

According to the Report, these functionalities are reminiscent of the Lazarus group’s LightlessCan malware.

Notably, Tropidoor employs Base64 encoding for secure communication and uses random session IDs during its interactions with C&C servers.

Indicators of Compromise (IoCs)

File Hashes

• MD5:
• 3aed5502118eb9b8c9f8a779d4b09e11
• 84d25292717671610c936bca7f0626f5
• 94ef379e332f3a120ab16154a7ee7a00
• b29ddcc9affdd56a520f23a61b670134

URLs

• http://103.35.190.170/Proxy.php
• http://86.104.72.247/Proxy.php
• https://45.8.146.93/proxy/Proxy.php

IP Addresses

• 135.181.242.24
• 191.96.31.38

Installation Path

• %SystemDrive%\0_***workfile\_work\autosquare\autopart\car.dll

This campaign highlights the increasing sophistication of phishing attacks targeting developers and job seekers globally.

By disguising malware within seemingly legitimate files shared through trusted platforms like BitBucket, attackers exploit victims’ trust in developer communities.

North Korean threat actors continue to refine their social engineering tactics while deploying advanced malware like BeaverTail and Tropidoor to steal sensitive information and establish persistent access to compromised systems.

To mitigate risks:

1. Avoid opening email attachments or links from unknown sources.
2. Regularly update antivirus software.
3. Monitor system logs for unusual activity related to the IoCs listed above.

Remaining vigilant against unsolicited communications is essential in combating these evolving threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates