Beware of Weaponized Recruitment Emails that Deliver BeaverTail and Tropidoor Malware

Cybersecurity researchers have uncovered a sophisticated attack campaign where threat actors impersonate recruitment professionals to distribute dangerous malware payloads.

On November 29, 2024, threat actors were found impersonating Dev.to, a popular developer community, to distribute malicious code hidden within project files shared through BitBucket links.

The attack represents a growing trend where threat actors exploit job seekers’ eagerness to review potential employment opportunities.

The malicious packages contain two primary components: BeaverTail, a JavaScript-based malware disguised as a legitimate “tailwind.config.js” configuration file, and a downloader component identified as “car.dll”.

Once executed, these components work in tandem to steal sensitive information from infected systems and establish persistent backdoor access.

The attackers specifically target web browser credential information and cryptocurrency wallet data, demonstrating their focus on both immediate financial gain and long-term system compromise.

ASEC analysts identified that BeaverTail is predominantly distributed through phishing attacks masquerading as job offers, with previous campaigns specifically targeting LinkedIn users.

While many cases originate overseas, researchers have discovered related infection logs within South Korea.

The installation paths often contain keywords like “Autopart” and “autosquare,” providing potential indicators of compromise for security teams to monitor.

The campaign shows sophisticated techniques for evading detection and maintaining persistence.

After initial infection, the malware employs obfuscation routines to hide its true functionality and leverages legitimate Windows tools like PowerShell and rundll32 to execute its payloads.

This “living off the land” approach helps the malware blend with normal system operations, complicating detection efforts.

Evidence points to North Korean threat actors’ involvement, with techniques and infrastructure matching those used in previous campaigns attributed to the Lazarus group.

The implementation of built-in Windows commands mirrors the LightlessCan malware previously documented by security firm ESET.

Infection Mechanism Analysis

The infection process begins when victims receive seemingly legitimate recruitment emails containing links to code repositories for review.

Upon examining the repository, victims find what appears to be a standard web development project.

However, embedded within the files is obfuscated JavaScript code in the “tailwind.config.js” file that executes the “car.dll” payload through a PowerShell command.

Once activated, the malware establishes communication with command and control (C&C) servers using encrypted channels.

The backdoor component, dubbed Tropidoor, generates a random 0x20 byte key encrypted with an RSA public key for secure communication with its operators.

It then collects system information and awaits further instructions through a structured URL format, supporting more than 20 different commands including file manipulation, screenshot capture, and process injection.

Users should exercise extreme caution when receiving unsolicited job offers containing code repositories and verify the legitimacy of recruitment emails through official channels before interacting with any attached content.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free

The post Beware of Weaponized Recruitment Emails that Deliver BeaverTail and Tropidoor Malware appeared first on Cyber Security News.