A notorious North Korean hacking group has enhanced its stealth capabilities by modifying one of its most notorious cyber tools, making it more difficult for cybersecurity software to identify. The malware, known as InvisibleFerret, is linked to the threat actor Void Dokkaebi, also referred to as Famous Chollima. It has been repackaged into a new format that is able to bypass many traditional detection methods.
New Format for Stealth
Previously delivered as plain Python scripts, InvisibleFerret now comes as compiled binary files. This shift is a strategic move by Void Dokkaebi, who typically targets software developers with access to sensitive cryptocurrency wallet credentials and signing keys. The hackers often masquerade as recruiters from cryptocurrency or AI firms to deceive developers into executing malicious code under the guise of job interviews.
Once activated, the malware initiates a multi-stage infection process aimed at extracting sensitive data and securing persistent access to the victim’s systems. Analysts from Trend Micro have uncovered that InvisibleFerret has been obfuscated using Cython, which translates Python code into native binaries.
Implications for Detection
According to a report by Trend Micro shared with Cyber Security News, the malware is now distributed as .pyd files on Windows and .so files on macOS. This transition means that existing detection rules designed for Python-based threats may fail to recognize this newly formatted malware.
The transformation retains the malware’s full suite of capabilities, such as enabling backdoor access, stealing browser credentials, monitoring clipboard activity, logging keystrokes, and targeting cryptocurrency wallets. Additionally, the BeaverTail loader has evolved from a simple downloader into a more sophisticated threat with enhanced credential harvesting and wallet-targeting functionalities.
Security Challenges and Recommendations
This evolution presents a significant challenge to security teams, particularly those relying on script-based detection mechanisms. The move to compiled binaries represents a calculated effort to outpace defenders who have not updated their detection frameworks.
The malware’s updated structure involves several modules with specific roles. For example, the mod module establishes initial connections and downloads further payloads, while the pad module provides backdoor access and gathers system information. On macOS, the mc module installs trojanized wallet extensions and downgrades Chrome to bypass Google’s newer security measures.
To counter these threats, security professionals are encouraged to adopt binary-aware detection strategies and closely monitor unusual Python activities, especially within .vscode directories. Keeping an eye on Chrome version downgrades and trojanized wallet extensions can also be crucial in identifying potential threats.
As cyber threats continue to evolve, staying informed and updating detection strategies is essential for safeguarding sensitive information.
.webp?ssl=1 "EtherRAT Malware Hides Using Ethereum Blockchain")
.webp?ssl=1 "PamDOORa Backdoor Threatens Linux by Stealing SSH Credentials")
