InvisibleFerret Malware Leveraging Python for Targeted Attacks

Threat Group: North Korean Threat Actors (e.g., Lazarus Group)
Threat Type: Backdoor Malware
Exploited Vulnerabilities: None (Relies on social engineering and malicious delivery)
Malware Used: InvisibleFerret (Python-based backdoor), BeaverTail (JavaScript-based stealer and loader)
Threat Score: High (8.8/10) – High impact due to complex multi-stage infection and data exfiltration capabilities.
Last Threat Observation: January 22 2025

Overview

InvisibleFerret is a Python-based backdoor malware deployed in targeted campaigns by North Korean threat actors, most notably the Lazarus Group. It exploits social engineering techniques, masquerading as job recruitment processes to infiltrate systems. Campaigns such as “Contagious Interview” and “DevPopper” are characterized by sophisticated tactics where attackers impersonate recruiters to persuade victims to download malware disguised as legitimate coding challenges, meeting software, or dependency packages. The primary goal is to compromise professionals in the tech, financial, and cryptocurrency industries, exfiltrating intellectual property, credentials, and financial assets.

Once installed, InvisibleFerret’s capabilities include geolocation tracking, file exfiltration via FTP and Telegram Bots, keylogging, and clipboard monitoring. Delivered as a second-stage payload by BeaverTail, a JavaScript-based loader and stealer, InvisibleFerret communicates with Command-and-Control (C2) servers using obfuscated traffic to evade detection. Its adaptive functionality, broad target scope, and cross-platform design render it a significant cybersecurity threat. Reports from ANY.RUN’s analysis confirm its use of poorly encrypted Base64 strings to hide sensitive data and its reliance on legitimate services such as ip-api.com for initial reconnaissance. These traits, combined with its reliance on known Python libraries for malicious purposes, illustrate the malware’s technical depth and operational complexity.

Key Details

Delivery Method:
InvisibleFerret is delivered as a payload by BeaverTail, which is disguised as legitimate software such as coding challenges, dependencies, or meeting tools.

Target:

• Professionals in the tech, financial, and cryptocurrency industries.
• Specifically targets source code repositories, wallet files, and sensitive browser data.

Functions:

• System reconnaissance (e.g., geolocation, system details).
• Exfiltration of files using FTP and Telegram Bots.
• Browser data theft, including credentials, cookies, and crypto wallet extensions.
• Keylogging and clipboard monitoring.
• Persistent access via remote desktop tools like AnyDesk.

Obfuscation:

• Base64 encoding for C2 addresses.
• Compressed and poorly structured code for evasion.

Attack Vectors

1. Initial Infection:
   • Victims are lured into downloading BeaverTail via fake job recruitment platforms.
   • Delivered as an NPM module or other dependency packages.
2. Payload Delivery:
   • BeaverTail downloads a Python runtime package (p.zip) containing InvisibleFerret.
3. C2 Communication:
   • Establishes communication with command-and-control (C2) servers using unusual ports (e.g., 1244, 1245).
   • Uses python-requests default User-Agent, making traffic analysis easier.
4. Data Exfiltration:
   • Employs FTP and Telegram Bots to exfiltrate files and sensitive data.
   • Targets browser extensions related to crypto wallets and multi-factor authentication apps.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256)

• 47830f7007b4317dc8ce1b16f3ae79f9f7e964db456c34e00473fba94bb713eb
• 6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0

IP Addresses

• 147[.]124[.]214[.]129
• 173[.]211[.]106[.]101

URLs

• hxxp://147[.]124[.]214[.]129:1244
• hxxp://147[.]124[.]214[.]129:1244/keys
• hxxp://147[.]124[.]214[.]129:1244/pdown
• hxxp://173[.]211[.]106[.]101:1245
• hxxp://173[.]211[.]106[.]101:1245/brow
• hxxp://173[.]211[.]106[.]101:1245/bow
• hxxp://173[.]211[.]106[.]101:1245/adc

Mitigation and Prevention

1. User Awareness:
   • Educate users about phishing techniques and fake recruitment schemes.
   • Encourage skepticism towards unexpected or unsolicited software downloads.
2. Endpoint Security:
   • Use reputable antivirus software with behavioral detection capabilities.
   • Blocklisted known IoCs and monitor unusual port activity.
3. Secure Browsers and Extensions:
   • Regularly update browsers and remove unused or suspicious extensions.
   • Enforce strong encryption and secure passwords for browser profiles.
4. Restrict Software Execution:
   • Limit software installation rights to verified administrators.
   • Implement application whitelisting.
5. Network Security:
   • Monitor and block unusual traffic patterns, especially towards uncommon ports.
   • Leverage sandboxing for suspicious file execution.

Risk Assessment

InvisibleFerret’s capabilities to target high-value assets such as source codes, sensitive files, and cryptocurrency wallets, coupled with its persistence mechanisms, make it a significant threat. The campaign’s reliance on social engineering increases its chances of success.

Conclusion

InvisibleFerret is a prime example of sophisticated social engineering combined with malicious payload deployment. Organizations should prioritize awareness, enforce strict access controls, and monitor network and endpoint activities to mitigate its impact. Given its potential for widespread damage, InvisibleFerret warrants immediate attention and vigilance from cybersecurity teams.

Sources

1. ANY.RUN Blog: "InvisibleFerret Malware: Technical Analysis"
2. PC Risk: "How to eliminate InvisibleFerret from infected systems"
3. Ground News: "InvisibleFerret Malware: Technical Analysis"