Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

InvisibleFerret (Backdoor) – Malware

February 25, 2025
Reading Time: 4 mins read
in Malware
InvisibleFerret (Backdoor) – Malware

InvisibleFerret

Type of Malware

Infostealer
Backdoor

Country of Origin

North Korea

Date of Initial Activity

2022

Associated Groups

Lazarus Group

Motivation

Data Theft
Cyberwarfare
Financial Gain

Attack Vectors

Phishing

Targeted Systems

Windows
Linux
MacOS

Type of Information Stolen

Login Credentials
System Information
Cryptocurrencies

Overview

InvisibleFerret is a sophisticated Python-based backdoor developed by the Lazarus Group, a notorious Advanced Persistent Threat (APT) actor. Known for its financial and espionage-driven cyber campaigns, Lazarus has employed InvisibleFerret as a key tool in their ongoing attacks targeting cryptocurrency professionals, software developers, and gaming industry stakeholders. Delivered through the BeaverTail malware framework, InvisibleFerret exemplifies the group’s technical prowess and adaptability in creating cross-platform threats that can operate on Windows, macOS, and Linux systems. InvisibleFerret’s modular architecture and extensive feature set make it a formidable tool for attackers. The malware consists of three main components: an initial script (.npl) and two auxiliary modules called bow and pay. These components collectively enable capabilities such as remote system control, keylogging, browser credential theft, and the deployment of additional tools like AnyDesk for remote access. The backdoor communicates with multiple command-and-control (C2) servers, providing attackers with a resilient infrastructure to manage their operations and exfiltrate sensitive data from compromised systems.

Targets

Finance and Insurance

How they operate

Modular Architecture and Components
InvisibleFerret comprises three primary components: the initial script (.npl) and two auxiliary modules referred to as bow and pay. The .npl script acts as the loader, responsible for establishing initial communication with the command-and-control (C2) server and fetching the secondary modules. The bow module focuses on browser credential theft, targeting popular web browsers like Chrome, Brave, and Edge. It collects stored passwords, session cookies, and autofill data, which are then compressed and sent to the attackers. Meanwhile, the pay module offers an array of features, including keylogging, remote command execution, and system reconnaissance. The malware’s communication with its C2 servers is robust and multi-channeled. InvisibleFerret uses two distinct IP addresses, connecting via ports 1244 and 1245 for redundancy. The attackers have also integrated Telegram as an additional exfiltration channel, complementing the traditional File Transfer Protocol (FTP) method. This approach ensures that data exfiltration remains active even if one channel is disrupted, showcasing the malware’s resilience in contested environments.
Obfuscation and Encryption Techniques
InvisibleFerret employs a sophisticated Matryoshka-style obfuscation technique to conceal its payloads. This involves multiple layers of compression, Base64 encoding, and string reversal, making static analysis challenging for security researchers. Each layer must be decrypted in sequence, adding significant complexity to reverse engineering efforts. In addition, recent iterations of the pay module include XOR encryption for files uploaded via FTP, using a static key (G01d*8@() to further obfuscate data in transit. These obfuscation methods are complemented by a modular and adaptive design. Updates to the malware’s codebase are frequent, with new features and refinements being introduced in response to countermeasures by defenders. For instance, the latest versions of InvisibleFerret include a command (ssh_zcp) that specifically targets browser extensions and critical application directories such as %LocalAppData%\1Password and %AppData%\WinAuth, reflecting the attackers’ focus on harvesting high-value data.
Commands and Capabilities
InvisibleFerret’s pay module supports a wide range of commands, enabling the attackers to execute various malicious operations remotely. Key commands include ssh_obj for remote command execution, ssh_clip for collecting clipboard data, and ssh_any for downloading and configuring AnyDesk to facilitate remote access. The malware also features the ssh_env command, which collects files from specific directories—such as Documents and Downloads on Windows—and uploads them to the attackers’ servers. One of the most concerning capabilities is its ability to kill processes for specific browsers, such as Chrome and Brave, using the ssh_kill command. This allows the attackers to disrupt user activity and potentially bypass security mechanisms. Additionally, the ssh_run command enables the download and execution of the bow module, allowing attackers to dynamically expand the malware’s functionality based on operational needs.
Indicators of Compromise and Mitigation
InvisibleFerret leaves several identifiable traces on infected systems, including the creation of directories like [homepath]/.n2 and the presence of encrypted files uploaded via FTP. Network traffic to ports 1244 and 1245, as well as outbound connections to Telegram servers, can also serve as indicators of compromise (IOCs). Organizations can mitigate the risk posed by InvisibleFerret by implementing endpoint detection and response (EDR) solutions, regularly updating software to address known vulnerabilities, and employing strict controls on application downloads and execution.
Conclusion
InvisibleFerret is a testament to the Lazarus Group’s technical sophistication and adaptability in crafting advanced malware. Its modular architecture, advanced obfuscation techniques, and extensive command set make it a formidable threat to organizations and individuals alike. By understanding the technical details of how InvisibleFerret operates, security professionals can better prepare to detect and defend against this evolving threat. As Lazarus continues to refine its tools, vigilance and proactive security measures remain essential in countering their campaigns.  
References
  • BeaverTail
  • APT Lazarus: Eager Crypto Beavers, Video calls and Games
Tags: BackdoorsBraveCHROMEEdgeFinanceInfostealersInsuranceInvisibleFerretLazarus groupLinuxMacOSMalwarePythonWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New Linux Flaws Allow Easy Root Access

Google Fixes GerriScary Supply Chain Flaw

Langflow Flaw Delivers Flodrix DDoS Botnet

Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

CISA Warns Of Apple Zero Click Exploit

Subscribe to our newsletter

    Latest Incidents

    Scania Insurance Data Stolen In Partner Hack

    Pro Israel Group Claims $81M Nobitex Hack

    Hacker Sells Data Of 1M Cock.li Users

    Zoomcar Data Breach Hits 8.4 Million Users

    Qilin Gang Leaks Asefa FC Barcelona Data

    Gunra Claims 45TB Hack On Colombia Justice

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial