BeaverTail is a new macOS stealer/malware attributed to DPRK that masquerades as the MiroTalk meeting app to steal data, log keystrokes, and install remote access (AnyDesk). The post-analysis covers its infection vector, capabilities, IOCs, and defensive recommendations.
#BeaverTail #MiroTalk #InvisibleFerret #DPRK #NorthKoreanThreatActors #Keychain #AnyDesk
#BeaverTail #MiroTalk #InvisibleFerret #DPRK #NorthKoreanThreatActors #Keychain #AnyDesk
Keypoints
- BeaverTail is a Mac malware linked to DPRK that disguises itself as MiroTalk to target users.
- The infection vector involves a trojanized MiroTalk.dmg hosted on mirotalk.net (a clone of meet.no42.org) delivered via social-engineering tactics.
- The malware steals data from browsers, performs keylogging, and facilitates installation of AnyDesk for remote access.
- Static and dynamic analyses reveal an unsigned macOS app (Jami) packaged with Qt/QMake, capable of exfiltration and second-stage payload delivery.
- BeaverTail communicates with a C2 server at 95.164.17.24:1224 and attempts to download additional payloads (e.g., Python-based backdoors like InvisibleFerret).
- IOCs include a specific MiroTalk.dmg/Jami hash and the C2 server IP, along with domain/housing sites used for distribution.
- Detection guidance highlights free tools like BlockBlock and LuLu to block/notarization requirements and alert on outgoing connections.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – The article notes victims download and execute the infected version of Miro Talk hosted on mirotalk.net. “…likely approached their potential victims, requesting that they join a hiring meeting, by download and executing the (infected version of) Miro Talk hosted on mirotalk.net.”
- [T1105] Ingress Tool Transfer – The malware downloads additional payloads which appear to be malicious python scripts. “…download additional payloads which appear to be malicious python scripts.”
- [T1056] Input Capture – The malware performs keylogging and access to browser data. “…stealing from browsers, keylogging, and installing AnyDesk.”
- [T1555.003] Credentials from Password Stores: Keychain – The malware targets the macOS keychain during data exfiltration. “…macOS keychain.”
- [T1041] Exfiltration Over C2 Channel – The malware exfiltrates collected data to its C2 server. “…exfiltrate these to its command & control server…”
- [T1071.001] Web Protocols – The malware communicates with the C2 server over HTTP (e.g., “http://95.164.17.24:1224”) to exfiltrate data and fetch payloads. “host2 = f’http://{host1}:1224′.”
Indicators of Compromise
- [SHA-256] MiroTalk.dmg – 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132
- [SHA-256] Jami – 0F5F0A3AC843DF675168F82021C24180EA22F764F87F82F9F77FE8F0BA0B7132
- [IP] Command & Control Server – 95.164.17.24
- [Domain] Trojanized hosting domains – mirotalk.net, meet.no42.org
- [URL] C2 / payload endpoints – http://95.164.17.24:1224