Cybersecurity researchers have uncovered a sophisticated attack campaign where threat actors impersonate recruitment professionals to distribute dangerous malware payloads. Users should exercise extreme caution when receiving unsolicited job offers containing code repositories and verify the legitimacy of recruitment emails through official channels before interacting with any attached content. On November 29, 2024, threat actors were found impersonating Dev.to, a popular developer community, to distribute malicious code hidden within project files shared through BitBucket links. The infection process begins when victims receive seemingly legitimate recruitment emails containing links to code repositories for review. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The installation paths often contain keywords like “Autopart” and “autosquare,” providing potential indicators of compromise for security teams to monitor. After initial infection, the malware employs obfuscation routines to hide its true functionality and leverages legitimate Windows tools like PowerShell and rundll32 to execute its payloads. However, embedded within the files is obfuscated JavaScript code in the “tailwind.config.js” file that executes the “car.dll” payload through a PowerShell command. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This “living off the land” approach helps the malware blend with normal system operations, complicating detection efforts. It then collects system information and awaits further instructions through a structured URL format, supporting more than 20 different commands including file manipulation, screenshot capture, and process injection. The implementation of built-in Windows commands mirrors the LightlessCan malware previously documented by security firm ESET. The attack represents a growing trend where threat actors exploit job seekers’ eagerness to review potential employment opportunities. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The attackers specifically target web browser credential information and cryptocurrency wallet data, demonstrating their focus on both immediate financial gain and long-term system compromise. Evidence points to North Korean threat actors’ involvement, with techniques and infrastructure matching those used in previous campaigns attributed to the Lazarus group. Password managers help to securely store and manage passwords, enhancing security and simplifying access across various platforms. Once activated, the malware establishes communication with command and control (C&C) servers using encrypted channels. ASEC analysts identified that BeaverTail is predominantly distributed through phishing attacks masquerading as job offers, with previous campaigns specifically targeting LinkedIn users. Once executed, these components work in tandem to steal sensitive information from infected systems and establish persistent backdoor access.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Apr 2025 15:45:13 +0000