The Lazarus group is intensifying its cyber campaign in 2024, employing new and increasingly sophisticated methods. Under the Contagious Interview campaign, hackers, disguising themselves as interviewers for job vacancies, are implanting malware into unsuspecting victims’ systems. The primary weapon in this attack is a Node.js-based project loaded with a malvar named Beavertail, which then deploys the Python-based backdoor, InvisibleFerret.
Originally discovered in November 2023 as JavaScript-based software, Beavertail resurfaced in 2024 in a new version designed for MacOS. Additionally, researchers have uncovered a counterfeit Windows video conferencing application that masquerades as a legitimate program but is actually part of the Beavertail attack.
Researchers have observed that Lazarus is continually adapting its tools and incorporating new features to enhance its attacks. For instance, the Python version of Beavertail includes capabilities for remote access through Anydesk and data exfiltration via Telegram. The group is targeting professionals in blockchain technologies and gaming, broadening its assaults to include repositories associated with cryptocurrencies and gaming projects.
Another tactic being employed by Lazarus is the widespread use of fake video conferencing applications. One such application, identified as FCCCall, mimics a reputable service but stealthily initiates malicious processes upon installation. It harvests data from browsers, cryptocurrency wallet extensions, and password managers before transmitting it to the attackers’ remote server.
Analysis reveals that Lazarus is introducing its tools through collaboration platforms for code development like GitHub, concealing malicious scripts within legitimate projects. These scripts load key components of Beavertail, including Python libraries, along with a collection of scripts dubbed CiveTQ. These tools enable the threat actors to extract data from browsers, pilfer information from password managers and cryptocurrency wallets, and retain control over infected devices via Anydesk.
Malvar is continuously evolving with regular code updates and new functions such as data theft from browsers and two-factor authentication applications. The scope of potential targets for attacks is expanding to include password managers and even Microsoft Sticky Notes.
Given the persistence of cyber attacks by Lazarus, it remains a substantial threat. Conducting thorough verification of programs and applications prior to installation, along with the implementation of cutting-edge cybersecurity tools like antivirus programs and solutions to mitigate digital risks, can help minimize the chances of successful infiltration by such threats into a system.