InvisibleFerret

chai-as-init 패키지는 인기 패키지인 chai 및 chai-as-promised 패키지명을 모방한 타이포스쿼팅 (Typosquatting)기법을 사용

The adc module is the only persistence mechanism found in this compromise chain, setting up AnyDesk access to the victim’s computer

유명 테스트 프레임워크인 Chai.js의 플러그인으로 위장한 악성 npm 패키지(chai-as-init)가 v1.4.5 ~ v1.4.7까지 총 3개 버전으로 배포

Tehdit aktörü önceden sömürmüş olduğu JSON Storage servislerini iş görüşmesi adı altında kişiye iletiyor... Hedef kitle : Yazılımcılar, Yazılım Geliştiriciler, İş aramak için görüşmeler yapan DevOps, DevSecops ekipleri.

After 2–3 friendly exchanges, the recruiter sends "please review the codebase before our technical interview." Calendly link, often on a fresh subdomain.

DeceptiveDevelopment targets freelance software developers through spearphishing on job-hunting and freelancing sites... The most commonly observed compromise vector consists of the fake recruiter providing the victim with a trojanized project under the guise of a hiring challenge

InvisibleFerret samples analyzed were Python scripts... Like InvisibleFerret, OtterCookie is a post-compromise malware family used as a backdoor, which establishes C2 connectivity via Socket[.]IO, receives and executes shell commands from C2 servers.

ssh_obj Executes shell commands · Executes the given argument[s] using the system shell via Python’s subprocess module

İkinci aşama ise Python ile derlenmiş InsivibleFerret adındaki Backdoor.

The C2 response body is compiled with new (Function.constructor)("require", responseData) and executed as executor(require) — arbitrary attacker-supplied JavaScript runs with full require capability.

İletilen dosyalar meşru görünüyor çünkü baktığınızda gerçek bir JSON dosyasında olması gerekenler var... Dosyalar içerisinde base64 ile encode edilmiş malware tarzında bir payload var.

The adc module is the only persistence mechanism found in this compromise chain, setting up AnyDesk access to the victim’s computer

All modules contain an XOR-encrypted and base64-encoded payload, preceded by four bytes representing the XOR key, followed by code to decrypt and execute it via exec

In the JavaScript version, the IP address and port are obfuscated using base64 encoding, split into three parts, and swapped around... Other strings are also encoded with base64

if it is, it enables a keylogger implemented using pyWinHook... In December 2024 we discovered yet another version of InvisibleFerret, containing an additional module named mlip

If they are found, any .ldb and .log files from the extensions’ directories are collected and exfiltrated. Apart from these files, the malware also targets a file containing the Solana keys stored in the user’s home directory in .config/solana/id.json

BeaverTail then looks for saved login information in /Library/Keychains/login.keychain (for macOS) or /.local/share/keyrings/ (for Linux).

The bow module is responsible for stealing login data, autofill data, and payment information saved by web browsers.

The InvisibleFerret keylogger collects the name of the currently active window.

collects the following: ... local IP address, and public IP address

The first part contains a hardcoded C&C URL... and collects the following: the user’s UUID, OS type, PC name, username, system version

The InvisibleFerret backdoor can browse the filesystem and exfiltrate files.

The collected data along with the computer hostname and current timestamp is uploaded to the /uploads API endpoint on the C&C server.

Credentials and other data stored by browsers are exfiltrated by InvisibleFerret.

public IP address and geolocation information (region name, country, city, ZIP code, ISP, latitude and longitude) parsed from http://ip-api.com/json

AnyDesk is used by InvisibleFerret to achieve persistence and allow remote attacker access.

Both BeaverTail and InvisibleFerret exfiltrate data from the local system.

On other systems, uploads the entirety of the user’s home directory and the /Volumes directory containing all mounted drives.

if it is, it enables a keylogger implemented using pyWinHook... In December 2024 we discovered yet another version of InvisibleFerret, containing an additional module named mlip

It searches through the browser’s local storage folders ... and copies the databases containing login and payment information to the %Temp% folder on Windows or the /tmp folder on other systems

it enables a keylogger implemented using pyWinHook and a clipboard stealer using pyperclip

The only functionality not executed by the operator is the initial fingerprinting, which is done automatically.

Data exfiltrated using InvisibleFerret can be archived using the py7zr and pyzipper Python packages.

safe Json Storage servisleri olarak görülen “JsonSilo, JsonKeeper, Npoint” gibi alanları kullanarak meşru bir trafik gibi görünerek saldırıyı devam ettirdikleri... Aslında burada HTTP trafiği izlenerek olay çözümlenmekte

ssh_upload Exfiltrates files or directories, using FTP

The second part acts as a TCP backdoor, and a TCP reverse shell, accepting remote commands from the C&C server and communicating via a socket connection.

İkinci aşama ise Python ile derlenmiş InsivibleFerret adındaki Backdoor. Bu Backdoor aynı zamanda başka bir malware’i sisteme çekiyor.

InvisibleFerret is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities.

Most C&C communication we observed was done over ports 1224 or 1244 ... and 1245 ... for backdoor C&C communication over TCP sockets.

Only uploads files smaller than 20,971,520 bytes (20 MB)... similar to sdir, but exfiltrates only files smaller than 104,857,600 bytes (100 MB)

The collected information ... is then sent to the C&C server via an HTTP POST request to the /keys API endpoint.

The data is then archived and uploaded to a Telegram chat using the Telegram API with a bot token, as well as to an FTP server.

They primarily steal cryptocurrency for financial gain... aiming to steal cryptocurrency wallets and login information from browsers and password managers.