Lazarus Hackers Lure Job Seekers with JavaScript Malware

The Lazarus Group’s ongoing cyber campaign has seen a surge in activity this year, with the BeaverTail malware playing a central role, which has evolved to target various platforms, including Windows, macOS, and Node.js. 

Lazarus has been using deceptive tactics like fake job interviews and fraudulent video conferencing applications to distribute BeaverTail, which further downloads the InvisibleFerret Python backdoor. 

Recent updates to the CivetQ threat actor’s toolkit have introduced new tactics and expanded their targeting scope as the actor now employs a fraudulent video conferencing app called FCCCall to lure victims into malicious activity. 

Additionally, CivetQ has expanded its data exfiltration methods to include Telegram and has enhanced the stealthiness of its malicious code. 

Chain of events leading to compromise.

The actor has also broadened its targeting to include browser extensions like Authenticator, WinAuth, Proxifier, password managers, note-taking applications, and cryptocurrency wallets. 

CivetQ has been actively developing and updating its tools, including BeaverTail, InvisibleFerret, and the Python scripts comprising CivetQ, while Lazarus has expanded its targeting tactics to include job portals beyond LinkedIn. 

They lure potential victims with job offers on platforms like WWR, Moonlight, and Upwork, then entice them to download malicious software under the guise of technical interviews, which, disguised as video conferencing applications or Node.js projects, contain malware designed to compromise victims’ systems.

Lazarus has also begun targeting gaming-related repositories with similar tactics, injecting malicious JavaScript into code repositories.

Screenshot of the cloned website.

BeaverTail is a cross-platform malware that targets Windows and macOS by infecting users through a fake video conferencing application and steals credentials from browsers, browser extensions, cryptocurrency wallets, and credential vaults. 

The latest version of BeaverTail (Windows) is a Windows Installer file that installs a fake video conferencing application named FCCCall and then downloads a Python executable and the next-stage payload, InvisibleFerret. 

BeaverTail (Python) has implemented other functionalities, such as establishing persistence and configuring AnyDesk, which also fetches several Python scripts that steal data from browsers, browser extensions, cryptocurrency wallets, credentials vaults, clipboards, and Microsoft Sticky Notes.  

Different obfuscation used in InvisibleFerret’s ‘pay’ script.

Group-IB’s malware detonation platform allows for the analysis of malicious software in a controlled environment. By executing samples like BeaverTail, they can observe critical processes like python.exe and tar.exe being spawned. 

This dynamic analysis provides valuable insights into the malware’s behavior, including its execution flow and potential actions. The platform’s video feature further enhances understanding by visually demonstrating the malware’s activities during runtime. 

Snippet of targeted data.

Lazarus Group has intensified its cyberattacks targeting job seekers, employing more sophisticated techniques and expanding its reach. The group’s persistent campaign, which began in 2024, continues to evolve, with attackers using creative tactics to evade detection and compromise systems. 

To mitigate the risks associated with these attacks, individuals should exercise caution when dealing with recruiters, verify the authenticity of job offers, and employ robust cybersecurity measures, including antivirus and anti-malware software, to protect against malicious activities.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here