A sophisticated malware framework known as Tsunami has recently emerged, posing a significant threat to users by employing a multi-stage infection process that culminates in credential theft and unauthorized cryptomining activities. This malware has been linked to the Contagious Interview campaign, which is associated with North Korean cyber actors, notably the Lazarus Group.
Initial Access and Infection Chain
The attack sequence begins with the execution of a malicious payload named BeaverTail, which is retrieved from a third-party domain, api.npoint.io, through a compromised private GitHub repository. Once activated, this loader deploys the InvisibleFerret malware as an intermediary step in the infection chain. The attackers utilize sophisticated social engineering tactics, particularly on LinkedIn, where they impersonate potential business partners to entice victims into running the compromised code.
Discovery and Analysis
Researchers at HiSolutions identified the comprehensive Tsunami framework during investigations into cryptocurrency theft incidents. Their analysis revealed that the malware leverages both the TOR network and Pastebin for command and control (C2) operations, indicating the threat actors’ commitment to maintaining operational security while continually developing new tools.
Modular Structure and Capabilities
Tsunami’s modular architecture comprises over 25 distinct components, including multiple browser credential stealers targeting Chrome, Firefox, Brave, Edge, and OperaGX. It also features capabilities to compromise cryptocurrency wallets, focusing on Exodus and Ethereum wallets. The malware deploys two separate cryptominers—one for Monero and another for Ethereum—to monetize compromised systems, as evidenced by configuration files recovered during analysis.
Ongoing Development
The malware’s development appears to be ongoing, with some modules, such as botnet functionality, still in early stages of implementation. This suggests that the threat actors are continuously enhancing their capabilities.
Persistence Mechanisms
Tsunami employs sophisticated techniques to maintain access to compromised systems. The Python-based launcher creates a Windows Update Script.pyw file in the Windows startup folder and installs a Runtime Broker.exe in a Microsoft Windows Applications directory. For additional resilience, it creates scheduled tasks that trigger at user logon.
Defense Evasion
The malware implements extensive defense evasion by adding multiple Windows Defender exclusions and Windows Firewall rules. It disables security features using PowerShell commands to ensure its persistent operation remains undetected.
Command and Control Infrastructure
The C2 infrastructure employs an onion domain (n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion) accessible only through the bundled Tor client, making traffic analysis and blocking significantly more challenging for defenders.
Recommendations for Users
To mitigate the risk posed by Tsunami malware, users are advised to exercise caution when interacting with unsolicited communications, especially those involving potential business opportunities on platforms like LinkedIn. Regularly updating software and employing robust security measures can also help protect against such sophisticated threats.
