Malware

BeaverTail and InvisibleFerret malware target job-seeking Mac users

Posted on by

OSX/BeaverTail and OSX/InvisibleFerret macOS Mac malware

On July 15, MalwareHunterTeam (MHT) posted a thread on X about a fake videoconferencing app for Mac. The malware apparently targeted Mac users via unsolicited LinkedIn messages about job opportunities.

Let’s take a brief look at what the malware does and how it was distributed.

What do BeaverTail and InvisibleFerret malware do?

MalwareHunterTeam noted that the Trojan horse was fully undetected (“FUD”) by antivirus engines on VirusTotal as of that date. While this malware poses as an existing piece of software, it’s actually a malicious Trojan horse.

Several hours later, malware analyst Patrick Wardle published his own initial assessment of the malware. Evidently, it’s a macOS-native port of BeaverTail (JavaScript-based stealer and dropper malware). It is distributed along with InvisibleFerret (Python-based backdoor malware). Unit 42 published a report about earlier versions of these families, then without a native Mac app, late last year.

The Trojan apparently checks for various cryptocurrency-related extensions in, and extracts data from: Google Chrome, Brave, and Opera browsers. It also targets the macOS login keychain database. After surreptitiously collecting sensitive data from an infected Mac, the malware exfiltrates this data to an attacker-controlled server.

Malware researcher Jaromir Horejsi noted that the Mac port of this malware seems sloppy; it includes references to a Windows .exe application.

How the malware spread: fake job opportunities

As MalwareHunterTeam observed in its thread, looking up the malware’s phone-home IP address reveals that it has already been used for more than a month. A previous victim posted on Reddit on June 11 about how a scammer had tried to infect them:

Someone messaged me on LinkedIn, asking me if I had any experience with web3. …

They asked me to move the conversation to Telegram (🚩). I accepted. On Telegram, they sent me the link to a GitHub repo. The repository was public, but with few commits and 0 stars. …

I guess that script would have tried to steal my cookies, crypto if I had any, it’s definitely something malicious. I reported the user on LinkedIn and the repository. Hope they will take action soon.

Stay safe and don’t execute code from strangers!!

The GitHub repository was since removed.

As Wardle points out in his write-up, “It’s common for DPRK [North Korean] hackers to target their victims by posing as job hunters.” We’ve certainly seen similar attacks before; we discussed on the April 6, 2023 episode of the Intego Mac Podcast about how North Korean threat actors were even targeting cybersecurity researchers. Similar campaigns have been ongoing for at least the past three years, if not longer.

How can I keep my Mac safe from similar malware?

If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX/Nukesped, OSX/Stealer, virus/OSX/AVF.Agent.dean, and similar names.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

Indicators of compromise (IOCs)

Following are SHA-256 hashes of malware samples from this campaign:

10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
f08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7

This malware campaign leverages the following domain and IP address:

mirotalk[.]net
95.164.17[.]24

Network administrators can check logs to try to identify whether any computers may have attempted to contact this domain or IP in recent weeks, which could indicate a possible infection.

Do security vendors detect this by any other names?

Other antivirus vendors’ names for this malware may include variations of the following:

DMG/ABTrojan.TCFF-, HEUR:Trojan-PSW.OSX.BeaverTail.a, MacOS:Stealer-AS [Trj], MacOS/ABTrojan.AJWE-, Malware.OSX/AVF.Agent.deane, Malware.OSX/GM.Stealer.DP, Osx.Trojan-QQPass.QQRob.Edhl, Osx.Trojan-QQPass.QQRob.Pnkl, OSX.Trojan.Gen, OSX/AVF.Agent.deane, OSX/GM.Stealer.DP, OSX/InfoStl-DO, OSX/NukeSped.AN, Python:Nukesped-E [Trj], Python:Nukesped-F [Drp], TROJ_FRS.0NA104GH24, TROJ_FRS.VSNTGH24, Trojan-Spy.OSX.BeaverTail, Trojan-Spy.Python.Agent, Trojan:MacOS/BeaverTail!MTB, Trojan:MacOS/Multiverze, Trojan:Python/NukeSped.E, Trojan:Python/NukeSped.G, Trojan.Generic.36558217 (B), Trojan.Generic.D461A7BC, Trojan.GenericKD.73508796 (B), Trojan.OSX.BeaverTail.i!c, Trojan.OSX.Nukesped.i!c, Trojan[stealer]:MacOS/NukeSped.AT, Trojan/OSX.Agent.20784310, Trojan/OSX.Agent.770832, UDS:Trojan-PSW.OSX.BeaverTail.a

How can I learn more?

We briefly discussed this malware on episode 354 of the Intego Mac Podcast:

For a deeper technical analysis of the malware, you can read Patrick Wardle’s write-up. You can also read previous research into similar campaigns, written up by Unit42 and by D. Iuzvyk, T. Peck, and O.Kolesnikov.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →