During October and November 2024, researchers observed a surge in North Korean cyber activity leveraging a well-documented tactic: staging fake job interviews.
This approach, employed by the notorious Lazarus Group, targets employees in the technological, financial, and cryptocurrency sectors.
Disguised as coding challenges or video conferencing software, these fake interviews deliver a variety of malware families, including the QRLog, Docks/RustDoor, and now BeaverTail and InvisibleFerret.
Let’s find out how dangerous InvisibleFerret actually is and how it can be analyzed easier using advanced malware analysis tools, such as ANY.RUN’s sandbox.
What is InvisibleFerret? A Messy but Silent Backdoor
InvisibleFerret is Python-based malware with a complex, messy structure, featuring over 100 functions riddled with compact and obfuscated code. Its capabilities include reconnaissance, data exfiltration, and persistence, all aimed at stealing sensitive files, source code, and cryptocurrency wallets.
Key capabilities of InvisibleFerret:
- Reconnaissance: Gathers geolocation, OS details, and user information by querying legitimate services like ip-api.com
- Data theft: Extracts files such as source code, credentials, and sensitive corporate data. Specifically targets browser data, including cookies, saved passwords, and history, across Chrome, Brave, Edge, and others
- Exfiltration techniques: Files are compressed and encrypted using weak passwords. Browsers and crypto wallet extensions like Metamask and Google Authenticator are key targets
- Persistence and control: Downloads and executes tools like AnyDesk for remote access. Includes keylogging capabilities, monitoring clipboard changes for passwords and keys
Technical Analysis of InvisibleFerret
A critical component of the latest InvisibleFerret attack is the deployment of a malicious NPM module, BeaverTail, which delivers a portable Python environment (p.zip) as part of its operation.
BeaverTail serves as the initial stage in a sophisticated, multi-layered attack chain, paving the way for InvisibleFerret. This backdoor exhibits advanced obfuscation techniques and incorporates persistence mechanisms, making it a formidable tool in the hands of attackers.
To discover how InvisibleFerret behaves, let’s submit it for analysis to ANY.RUN’s interactive sandbox. The sandbox will show real-time analysis with all its completed process in more details:
InvisibleFerret processes analyzed by ANY.RUN sandbox
All the processes are displayed on the right side of the sandbox screen. By clicking on a specific process, you can access detailed information about its behavior and actions, making it easier to analyze and understand its role in the malware’s operation.
Exfiltrated information displayed inside ANY.RUN sandbox
Inside the analysis session, the ferret’s first move is to gather fundamental information about the victim.
It queries legitimate services like ip-api.com, commonly exploited by other malware and even cryptocurrency drainers like “ETH Polygon BNB,” to determine the victim’s geolocation.
Besides that, it collects system details, including the operating system release, version, hostname, and username, before generating a unique host ID to establish its presence within the adversary’s infrastructure.
Sign up for a free ANY.RUN account to identify threats with proactive analysis
Another indication of the malicious behavior within the processes is observed beneath the ANY.RUN virtual machine, where the network communication threads are highlighted in orange and red.
This visualization reveals how legitimate traffic seamlessly blends with malicious requests, all generated by the same script. The combination of these traffic streams underscores the stealthy nature of the malware, as it masks its malicious activities within normal system behavior.
Malicious requests are mixed with legitimate traffic, all directed by the same script
Within ANY.RUN’s sandbox, we can also observe the TTPs employed by InvisibleFerret. Simply click on the ATT&CK button located in the upper-right corner of the screen, and you’ll be presented with all the tactics, techniques, and procedures relevant to that specific sandbox session:
Main TTPs used by InvisibleFerret
Understanding these tactics and techniques allows researchers and businesses to standardize threat behaviors, making it easier to identify patterns and collaborate effectively.
For instance, whether malware uses ip-api or another service to geolocate victims, it falls under the same technique (T1016, “System Network Configuration Discovery”). Grouping these actions under a shared framework reduces confusion and provides businesses with clearer insights to strengthen their defenses.
T1016 detected by ANY.RUN
Don’t Let Threats Like InvisibleFerret Catch Your Business Off Guard
Malware like InvisibleFerret disrupts businesses, damages trust, and puts your valuable assets at risk.
Understanding these threats gives you the upper hand, helping you spot vulnerabilities, stop attacks before they spread, and keep your business running smoothly.
Stay protected and prepared!
Sign up for a free ANY.RUN account today and see how proactive threat analysis can make all the difference.
