North Korean Hackers Update BeaverTail Malware to Target MacOS Users

North Korean Hackers Update BeaverTail Malware to Target MacOS Users

July 17, 2024 at 12:43PM

Researchers have found a new variant of a stealer malware linked to North Korea, this time targeting job seekers with a malicious Apple macOS disk image file named “MiroTalk.dmg.” This malware, known as BeaverTail, can steal sensitive data from web browsers, crypto wallets, and iCloud Keychain. Additionally, a new malicious npm package called call-blockflow is suspected to be the work of the North Korea-linked Lazarus Group, which has been orchestrating cyber attacks since September 2023. Moreover, JPCERT/CC has issued a warning about cyber attacks by the North Korean Kimsuky actor targeting Japanese organizations, using phishing messages to distribute malicious executable files.

After reviewing the meeting notes, the key takeaways are:

1. Cybersecurity researchers have discovered an updated variant of a known stealer malware associated with the Democratic People’s Republic of Korea (DPRK), targeting job seekers through cyber espionage campaigns.
2. The malware is distributed through an Apple macOS disk image (DMG) file named “MiroTalk.dmg” and is capable of stealing data from web browsers, cryptocurrency wallets, and iCloud Keychain, as well as delivering additional payloads like a Python backdoor.
3. The DPRK hackers have been observed using social engineering tactics to approach potential victims by requesting their participation in hiring meetings through a compromised version of MiroTalk hosted on mirotalk[.]net.
4. Additionally, a new malicious npm package named call-blockflow, suspected to be the work of the North Korea-linked Lazarus Group, has been uncovered. This package has complex functionality to download a remote binary file and exhibits evasive behavior to avoid detection.
5. There is an ongoing advisory from JPCERT/CC warning of cyber attacks orchestrated by the North Korean Kimsuky actor targeting Japanese organizations, with the infection process starting with phishing messages and leading to the exfiltration of sensitive information to a command-and-control (C2) server.

These findings highlight the evolving tactics employed by threat actors affiliated with the DPRK and the need for heightened vigilance and security measures to protect against such cyber threats.

Full Article