InvisibleFerret Malware: Technical Analysis

Jan. 22, 2025, 9:16 a.m.

Description

A recent surge in North Korean activity involves fake job interviews to distribute malware, including InvisibleFerret. This Python-based malware targets the technology, finance, and cryptocurrency sectors, focusing on developers. It steals source code, wallets, and sensitive files. InvisibleFerret gathers victim information, exfiltrates browser data, and implements keylogging and clipboard monitoring. The malware uses FTP and Telegram for data exfiltration, and AnyDesk for persistence. It targets major browsers and specific extensions, particularly crypto wallets and authentication apps. The analysis reveals poor coding practices and weak obfuscation techniques. The campaign, known as Contagious Interview or DevPopper, demonstrates significant investment in infrastructure and social engineering tactics.

External References

https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/
https://otx.alienvault.com/pulse/67901ce9edea2c22df56bef8
Tags
stealer
beavertail
rustdoor
invisibleferret
2025-01-21
qrlog

Date

  • Created: Jan. 21, 2025, 10:17 p.m.
  • Published: Jan. 21, 2025, 10:17 p.m.
  • Modified: Jan. 22, 2025, 9:16 a.m.

Indicators

  • 47830f7007b4317dc8ce1b16f3ae79f9f7e964db456c34e00473fba94bb713eb
  • 6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0
  • 147.124.214.129
  • 173.211.106.101
Download all indicators here!

Attack Patterns

  • Docks
  • RustDoor
  • BeaverTail
  • InvisibleFerret
  • QRLog
  • North Korea
  • T1583.006
  • T1585.002
  • T1587.001
  • T1059.006
  • T1588.002
  • T1115
  • T1571
  • T1056.001
  • T1555
  • T1016
  • T1105
  • T1219
  • T1041
  • T1078

Additional Informations

  • Technology
  • Finance