Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

MITRE Techniques

• [T1059 ] Command and Scripting Interpreter – Used to execute Python-based payloads and run the .mod execution scripts that load Cython-obfuscated modules (‘the infection chain generates a Python execution script to run the Cython-obfuscated InvisibleFerret’).
• [T1027 ] Obfuscated Files or Information – Used Cython compilation, Base64 stripping, XOR encryption, array shuffling, and compressed string storage to hide code and data (‘obfuscated using Cython’, ‘XOR-encrypted’, ‘Zlib-compressed’).
• [T1562.001 ] Disable or Modify Tools – Downgraded Chrome on macOS to bypass Manifest V3 protections and retain wallet-extension functionality (‘they downgrade Chrome to a version that still supports Manifest V2’).
• [T1070.004 ] Indicator Removal: File Deletion – One module deletes its execution Python script after use to hide traces (‘At present, only mc.so deletes its execution Python script’).
• [T1547.001 ] Boot or Logon AutoStart Execution: Registry Run Key / Startup Folder – Persistence-related execution is implied by modules that create and run scripts for next-stage payloads on system startup contexts (‘creates Python scripts pad0 and brw0 for executing the next-stage payloads’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Execution of next-stage payloads through generated scripts is consistent with scheduled or scripted tasking (‘creates Python scripts pad0 and brw0 for executing the next-stage payloads’).
• [T1082 ] System Information Discovery – Collected OS and network information and geolocation data (‘collects system and network information’, ‘gather geolocation data based on the IP address’).
• [T1083 ] File and Directory Discovery – Sought file paths and build artifacts within binaries and likely on target systems (‘searching the binary could uncover embedded string references to source files’).
• [T1518 ] Software Discovery – Targeted browser versions, extensions, and wallet-related software (‘downloads and installs trojanized browser extensions’, ‘downgrade the version of Chrome’).
• [T1057 ] Process Discovery – Identified by capabilities around environment inspection and execution flow (‘collects system and network information’).
• [T1555.003 ] Credentials from Password Stores: Credentials from Web Browser – Stole browser credentials, passwords, and wallet data (‘Steals information stored in web browsers’, ‘steals … passwords’).
• [T1056.001 ] Input Capture: Keylogging – Keylogging was included in the malware capabilities (‘clipboard monitoring, keylogging’).
• [T1115 ] Clipboard Data – Monitored clipboard contents to capture sensitive data (‘clipboard monitoring’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Contacted web services such as ip-api for geolocation and used HTTP-based C2 traffic (‘accesses hxxp://ip-api[.]com/json’).
• [T1071.002 ] Application Layer Protocol: File Transfer Protocols – Used file download and execution flows to stage payloads (‘Downloads … InvisibleFerret’, ‘downloads and executes’).
• [T1219.002 ] Remote Access Software: Remote Desktop Software – Used AnyDesk-related components and backdoor execution behavior (‘configure the AnyDesk execution environment’, ‘backdoor capabilities’).
• [T1102.001 ] Web Service: Dead Drop Resolver – Retrieved geolocation data from a web service and used remote infrastructure to resolve operational details (‘accesses hxxp://ip-api[.]com/json’).
• [T1571 ] Non-Standard Port – The malware embeds or passes port numbers alongside encoded IPs for C2 setup (‘passing … a port number’).
• [T1048 ] Exfiltration Over Alternative Protocol – Data theft and credential harvesting were performed through malware channels other than standard file uploads (‘steals … credit card details’, ‘cryptocurrency wallet data’).
• [T1041 ] Exfiltration Over C&C Channel – Stolen data was sent via the command-and-control workflow described in the infection chain (‘C&C server’, ‘downloads and executes’).