{"id":11077,"date":"2025-01-21T10:29:25","date_gmt":"2025-01-21T10:29:25","guid":{"rendered":"\/cybersecurity-blog\/?p=11077"},"modified":"2025-01-22T06:55:50","modified_gmt":"2025-01-22T06:55:50","slug":"invisibleferret-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/invisibleferret-malware-analysis\/","title":{"rendered":"InvisibleFerret Malware: Technical Analysis"},"content":{"rendered":"\n

Editor’s note<\/strong>: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X<\/a>.<\/em><\/p>\n\n\n\n

Recently, during October and November, we observed a rise in North Korean activity employing a well-known and distinctive technique: staging job interview processes to spread multiple malware families.<\/u><\/a><\/p>\n\n\n\n

This signature technique was previously used to distribute QRLog<\/u><\/a> and Docks \/RustDoor<\/u><\/a>, and is now delivering BeaverTail<\/u><\/a> and InvisibleFerret<\/u><\/a>. In this first article, we will conduct a technical dissection of the latter.<\/p>\n\n\n

\n
\"\"
InvisibleFerret actively seeks source code, wallets, and sensitive files<\/em><\/figcaption><\/figure><\/div>\n\n\n

The Beaver<\/strong><\/h2>\n\n\n\n

These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized<\/em> effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus. By staging fake job interviews, threat actors aim to spread malware<\/u><\/a> disguised either as coding challenges (or their dependencies) or video call software, in a campaign now known as Contagious Interview<\/strong> or DevPopper<\/strong>.<\/p>\n\n\n\n

One of the implants distributed is BeaverTail<\/strong>, a stealer and loader written in obfuscated JavaScript<\/strong> and delivered as an NPM module<\/u><\/a>. While not the focus of this article, BeaverTail downloads a customized portable Python<\/strong> environment (\u201cp.zip<\/u><\/a>\u201d) and later deploys InvisibleFerret<\/strong> as its next stage, which is the main subject of this research.<\/p>\n\n\n

\n
\"\"
BeaverTail targets major browsers such as Opera, Brave, and Chrome, seeking user and add-on data<\/em><\/figcaption><\/figure><\/div>\n\n\n

The Ferrets<\/strong><\/h2>\n\n\n\n

InvisibleFerret<\/strong> is a Python<\/strong>-based malware that, at first glance, shows a disorganized structure and unnecessary escaping sequences, giving a glimpse of what lies ahead if we dare to explore the code further. A quick look reveals a compact initialization of hardcoded constants used to install dependencies via pip<\/u><\/a>, which are later reused multiple times throughout its execution.<\/p>\n\n\n

\n
\"\"
InvisibleFerret\u2019s code is messy, with over 100 functions adding to its complexity<\/em><\/figcaption><\/figure><\/div>\n\n\n

As expected from malware of its kind, InvisibleFerret<\/strong> does not generate an output trail or a logfile of its actions. Its silent nature, combined with a somewhat difficult-to-read codebase, led me to add verbosity to its functions and expand some of its compressed syntax and overly compact one-liners for better readability, creating PrettyVisibleFerret<\/u><\/a>. This version is more talkative and easier to read for everyone, but still executes malicious instructions and should be handled with care.<\/p>\n\n\n\n

View sandbox analysis of InvisibleFerret<\/a><\/p>\n\n\n

\n
\"\"
PrettyVisibleFerret running on ANY.RUN showing exfiltrated information in real-time<\/em><\/figcaption><\/figure><\/div>\n\n\n

After submitting the malware <\/a>for analysis to ANY.RUN’s Interactive Sandbox<\/a>, the first thing this mischievous ferret attempts is to gather basic information about the victim, such as geolocation \u2014 by querying legitimate services like ip-api.com<\/u><\/a> (commonly used by other malware and even drainers like \u201cETH Polygon BNB<\/u><\/a>\u201d) \u2014 as well as system details like OS release, version, hostname, and username, before finally generating a unique ID.<\/p>\n\n\n\n\n

\n\n

\nTry secure malware and phishing analysis
with ANY.RUN’s Interactive Sandbox<\/span>  \n<\/p>\n\n\nGet 14-day free trial\n<\/a>\n<\/div>\n\n\n\n