Full Report
On November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a developer community called Dev.to to distribute malware. [1] In this case, the attacker provided a BitBucket link containing a project, and the victim discovered malicious code within the project and disclosed it to the community. The project […]
Analysis Summary
# Tool/Technique: BeaverTail
## Overview
BeaverTail is an infostealer and downloader malware primarily known to be used by North Korean attackers for information theft and downloading additional payloads. It was distributed via a social engineering attack impersonating a recruitment email from the Dev.to developer community, delivered through a malicious BitBucket link.
## Technical Details
- Type: Malware family
- Platform: Windows (implied by use of DLLs, Windows commands like `schtasks`, and standard Windows paths)
- Capabilities: Information theft (credentials, cryptocurrency wallet data), downloading secondary payloads (like InvisibleFerret), and serving as a dropper for a backdoor (Tropidoor).
- First Seen: The case detailed is from November 29, 2024, but the malware itself has been observed in previous attacks targeting overseas entities, including LinkedIn phishing.
## MITRE ATT&CK Mapping
*Note: Direct mappings are inferred based on functionality described (Infostealer, Downloader, Backdoor functionality).*
- TA0001 - Initial Access
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (JavaScript obfuscation noted)
- TA0009 - Collection
- T1005 - Data from Local System (Stealing credentials, wallet data)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Communicating via HTTP/S parameters)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Phishing Distribution:** Distributed via social engineering attacks, often disguised as job offers.
- **Information Stealing (Infostealer):** Targets web browsers to steal credentials and cryptocurrency wallet data.
- **Downloader:** Capable of downloading additional malware payloads.
- **Execution Dropper:** Disguised as a configuration file ("tailwind.config.js") to execute the 'car.dll' downloader.
### Advanced Features
- Uses obfuscated routines within its JavaScript component.
- Downloads secondary payloads like "InvisibleFerret".
- Establishes persistence/command execution via the secondary backdoor, Tropidoor.
## Indicators of Compromise
- File Hashes:
- MD5: `3aed5502118eb9b8c9f8a779d4b09e11` (Associated with files found in the distribution)
- MD5: `84d25292717671610c936bca7f0626f5` (Associated with files found in the distribution)
- MD5: `94ef379e332f3a120ab16154a7ee7a00` (Associated with files found in the distribution)
- MD5: `b29ddcc9affdd56a520f23a61b670134` (Associated with files found in the distribution)
- File Names:
- `tailwind.config.js` (Malware disguised as a NodeJS configuration file)
- `car.dll` (Downloader malware)
- `img_layer_generate.dll` (Alternative name for the associated DLL)
- Downloaded files: `p.zi`, `p2.zip`
- Registry Keys: Unknown from the context.
- Network Indicators:
- C2 Domain/IP patterns often involve URLs like `/Proxy.php`.
- Known C2 URLs (Defanged): `http[:]//103[.]35[.]190[.]170/Proxy[.]php`, `http[:]//86[.]104[.]72[.]247/Proxy[.]php`, `https[:]//45[.]8[.]146[.]93/proxy/Proxy[.]php`, `https[:]//86[.]104[.]72[.]247/proxy/Proxy[.]php`
- Known C2 IPs (Defanged): `135[.]181[.]242[.]24`, `191[.]96[.]31[.]38`
- Behavioral Indicators:
- Use of `curl` for downloading files.
- Installation path hint: `%SystemDrive%\0_***workfile\*_work\autosquare\autopart\car.dll`.
## Associated Threat Actors
- North Korean attackers (Affiliation strongly suggested)
## Detection Methods
- Signature-based detection: File hashes listed above; specific signatures targeting the BeaverTail or 'car.dll' binary structure.
- Behavioral detection: Monitoring for execution paths similar to the installation path; monitoring the suspicious JavaScript file initiating native process execution.
- YARA rules: Not explicitly provided, but necessary for detecting the specific structure of `tailwind.config.js` or contents of the DLLs.
## Mitigation Strategies
- Users should exercise extreme caution regarding executable files or scripts downloaded from unknown sources, especially those received via suspicious emails (even if seemingly from trusted communities or job postings).
- Ensure browser and operating system security products are up-to-date.
- Review processes that attempt to execute shell commands or scripts from contexts where they are not expected (e.g., a configuration file like `tailwind.config.js` executing a DLL).
## Related Tools/Techniques
- **car.dll:** A downloader component used alongside BeaverTail in this campaign.
- **LightlessCan (Lazarus Group):** The downloader (`car.dll`) exhibits similar characteristics to LightlessCan in its implementation of native Windows shell commands internally.
- **Tropidoor:** A backdoor malware executed in memory by the `car.dll` downloader, responsible for C2 communication.
- **InvisibleFerret:** A payload that BeaverTail is known to download.
***
# Tool/Technique: car.dll (Downloader)
## Overview
`car.dll` is a downloader malware found in the same compressed package as BeaverTail, responsible for executing the next stage of the attack. It appears to execute Windows commands internally upon loading.
## Technical Details
- Type: Downloader Malware
- Platform: Windows
- Capabilities: Executes internal Windows commands, serves as the initial execution mechanism for the secondary malware payload (Tropidoor, which runs in memory).
- First Seen: Deployed alongside BeaverTail in the analyzed case (November 2024).
## MITRE ATT&CK Mapping
- T1218 - Signed Binary Proxy Execution (Implied, as it is a DLL that executes commands)
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implementing internal commands)
## Functionality
### Core Capabilities
- Execution initialization for the attack chain.
- Contains internal logic for replicating the functionality of Windows commands.
### Advanced Features
- Command implementation logic similar to malware used by Lazarus Group instances (specifically LightlessCan).
- Executes commands such as `schtasks`, `ping`, and `reg` internally.
## Indicators of Compromise
- File Names: `car.dll`, potentially found within suspicious paths related to "autosquare".
- Behavioral Indicators: Execution logs showed activity related to embedded Windows commands.
## Associated Threat Actors
- Associated with the actors deploying BeaverTail (suspected North Korean groups).
## Detection Methods
- Detection of DLL loading from unusual contexts.
- Signatures targeting the specific command implementation patterns observed.
## Mitigation Strategies
- Application whitelisting (to prevent execution of unknown DLLs).
- Strong endpoint detection rules for unusual command execution behavior.
## Related Tools/Techniques
- LightlessCan (Similar command implementation technique)
***
# Tool/Technique: Tropidoor (Backdoor)
## Overview
Tropidoor is a backdoor malware that appears to operate in memory, loaded by the `car.dll` downloader. It establishes encrypted Command and Control (C2) communication to receive and execute remote commands.
## Technical Details
- Type: Backdoor Malware
- Platform: Windows (In-memory execution)
- Capabilities: Encrypted C2 communication, system information gathering, file manipulation, process injection, and remote command execution.
- First Seen: Deployed following the execution of `car.dll`.
## MITRE ATT&CK Mapping
- T1105 - Ingress Tool Transfer (Downloading secondary payloads)
- T1071.001 - Application Layer Protocol: Web Protocols (Using HTTP parameters for C2)
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility (Compressing files to ZIP)
## Functionality
### Core Capabilities
- **C2 Communication Setup:** Decrypts an RSA public key upon connection, generates a random 0x20 byte key for symmetric packet encryption.
- **System Information Collection:** Gathers basic system info and transmits it with the unique encryption key.
- **Command Execution:** Receives commands via the `letter` parameter (e.g., `letter=400BadRequest`) and sends results back via the same parameter.
### Advanced Features
- Uses RSA for key exchange and a derived symmetric key for communication payloads over HTTP/S parameters (`tropi2p`, `gumi`, `s_width`).
- Executes a wide array of commands, including file manipulation (deletion, time setting), process injection (Command 16), screenshot capture (Command 9), and direct shell command execution (Command 34).
## C&C Communication Structure
| Parameter | Usage |
|---|---|
| `tropi2p` | Carries System Information / Command Results |
| `gumi` | Carries the session encryption key |
| `s_width` | Carries the generated 5-byte Session ID |
| `letter` | Used to send commands (`400BadRequest`) or results |
## C&C Executable Commands (Selected)
- **3:** `nestat -ano`
- **9:** Screenshot Capture
- **16:** Inject downloaded payload into another process or load in memory
- **34:** Execute direct Windows commands (`schtasks`, `ping`, `reg`).
## Indicators of Compromise
- Network Indicators: C2 communication utilizing the distinct URL parameter structure listed above.
## Associated Threat Actors
- Associated with the actors deploying BeaverTail (suspected North Korean groups).
## Detection Methods
- Behavioral analysis detecting large amounts of seemingly encrypted data being transmitted over standard web ports to the listed IP ranges/domains.
- Detection of process injection activities (e.g., command 16).
## Mitigation Strategies
- Enforce strong egress filtering, monitoring for non-standard HTTP requests containing complex encoded data meant to mimic application protocols.
- Limit the use of sensitive native commands where possible via restricted execution policies.
## Related Tools/Techniques
- LightlessCan (Command execution similarity).