Threat Research

Bored BeaverTail & InvisibleFerret Yacht Club – The Lazarus Lure, Part 2

Securonix

eSentire’s Threat Response Unit investigated a supply-chain style incident where a software developer downloaded a BitBucket JavaScript project that contained BeaverTail and deployed InvisibleFerret, resulting in credential theft and data exfiltration. The SOC isolated the host, remediated the infection, and recommended EDR deployment and security awareness improvements. #BeaverTail #InvisibleFerret

Keypoints

  • eSentire’s 24/7 TRU and SOC analysts detected and responded to a targeted infection affecting a software developer.
  • The initial access vector was a ZIP file downloaded from a BitBucket project that contained malicious JavaScript.
  • BeaverTail executed JavaScript payloads which then deployed InvisibleFerret to steal browser credentials and sensitive data.
  • Malicious activity included execution via Node Package Manager (NPM) and communication with a remote command-and-control server.
  • The campaign was linked to North Korean threat actors targeting developers and software supply chains.
  • eSentire isolated the affected host rapidly and provided actionable remediation and hardening recommendations.
  • Recommended mitigations include EDR deployment, patching, credential hygiene, and developer security awareness training.

MITRE Techniques

  • [T1071] Initial Access – Malicious ZIP file downloaded from a BitBucket project. (‘Malicious ZIP file downloaded from a BitBucket project.’)
  • [T1203] Execution – Execution of malicious JavaScript files via Node Package Manager (NPM). (‘Execution of malicious JavaScript files via Node Package Manager (NPM).’)
  • [T1003] Credential Access – Stealing browser credentials through the InvisibleFerret malware. (‘Stealing browser credentials through the InvisibleFerret malware.’)
  • [T1041] Exfiltration – Uploading sensitive files to a command and control server. (‘Uploading sensitive files to a command and control server.’)
  • [T1071] Command and Control – Utilizing a command and control server for communication with compromised systems. (‘Utilizing a command and control server for communication with compromised systems.’)

Indicators of Compromise

  • [domain] Download/source domains observed – freelancermap.com, bitbucket.org
  • [ip address] Command-and-control infrastructure – 185.235.241.208
  • [file name] Malicious archive and scripts used in the intrusion – task-space-eshop-aeea6cc51a7c.zip, error.js, and other 5 items

Read more: https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2 – get from article

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint