Threat Research

Bored BeaverTail Yacht Club – A Rebirth of Attraction

Esentire

eSentire’s Threat Response Unit investigated a security incident involving BeaverTail malware that a user downloaded from a malicious GitHub repository. The malware attempted to fetch components of the InvisibleFerret backdoor but was blocked by endpoint security, underscoring the risks of unverified software sources and the importance of robust endpoint defenses. #BeaverTail #InvisibleFerret #Lazarus #ContagiousInterview #NorthKorean #GitHub

Keypoints

  • eSentire operates 24/7 Security Operations Centers (SOCs) staffed with elite threat hunters and cyber analysts.
  • The TRU team provides summaries of threat investigations and responses to confirmed threats.
  • In September 2024, a user downloaded a malicious NFT marketplace project, leading to the discovery of BeaverTail malware.
  • The malware attempted to download components of the InvisibleFerret backdoor but was blocked by endpoint security.
  • The incident was linked to North Korean threat actors targeting software developers.
  • eSentire’s SOC identified suspicious command lines and took immediate action to isolate the affected host.
  • Recommendations include enhancing endpoint security and educating users about risks associated with unverified software.

MITRE Techniques

  • [T1071.001] Initial Access – Downloading BeaverTail from a GitHub repository after being tricked into obtaining software from unverified sources. [‘Users may be tricked into downloading malicious software from unverified sources, such as GitHub.’]
  • [T1071] Command and Control – Malware may attempt to communicate with a command and control server to download additional payloads. [‘Malware may attempt to communicate with a command and control server to download additional payloads.’]
  • [T1203] Execution – Malicious scripts or executables may be executed on the victim’s machine after being downloaded. [‘Malicious scripts or executables may be executed on the victim’s machine after being downloaded.’]
  • [T1562] Defense Evasion – Malware may attempt to evade detection by using encoded scripts or obfuscation techniques. [‘Malware may attempt to evade detection by using encoded scripts or obfuscation techniques.’]

Indicators of Compromise

  • [File] nft_marketplace-main.zip and test.js – context: BeaverTail artifacts downloaded and executed as part of the incident
  • [File] encoded .npl Python script – context: encoded script intended to download InvisibleFerret components
  • [Network] HTTP GET pattern – context: observed communication patterns such as p.zi and :1224/pdown
  • [URL] GitHub repository hosting nft_marketplace-main – context: source of the BeaverTail payload

Read more: https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure