InvisibleFerret (Backdoor) – Malware

Overview

InvisibleFerret is a sophisticated Python-based backdoor developed by the Lazarus Group, a notorious Advanced Persistent Threat (APT) actor. Known for its financial and espionage-driven cyber campaigns, Lazarus has employed InvisibleFerret as a key tool in their ongoing attacks targeting cryptocurrency professionals, software developers, and gaming industry stakeholders. Delivered through the BeaverTail malware framework, InvisibleFerret exemplifies the group’s technical prowess and adaptability in creating cross-platform threats that can operate on Windows, macOS, and Linux systems. InvisibleFerret’s modular architecture and extensive feature set make it a formidable tool for attackers. The malware consists of three main components: an initial script (.npl) and two auxiliary modules called bow and pay. These components collectively enable capabilities such as remote system control, keylogging, browser credential theft, and the deployment of additional tools like AnyDesk for remote access. The backdoor communicates with multiple command-and-control (C2) servers, providing attackers with a resilient infrastructure to manage their operations and exfiltrate sensitive data from compromised systems.

Targets

Finance and Insurance

How they operate

Modular Architecture and Components

InvisibleFerret comprises three primary components: the initial script (.npl) and two auxiliary modules referred to as bow and pay. The .npl script acts as the loader, responsible for establishing initial communication with the command-and-control (C2) server and fetching the secondary modules. The bow module focuses on browser credential theft, targeting popular web browsers like Chrome, Brave, and Edge. It collects stored passwords, session cookies, and autofill data, which are then compressed and sent to the attackers. Meanwhile, the pay module offers an array of features, including keylogging, remote command execution, and system reconnaissance. The malware’s communication with its C2 servers is robust and multi-channeled. InvisibleFerret uses two distinct IP addresses, connecting via ports 1244 and 1245 for redundancy. The attackers have also integrated Telegram as an additional exfiltration channel, complementing the traditional File Transfer Protocol (FTP) method. This approach ensures that data exfiltration remains active even if one channel is disrupted, showcasing the malware’s resilience in contested environments.

Obfuscation and Encryption Techniques

InvisibleFerret employs a sophisticated Matryoshka-style obfuscation technique to conceal its payloads. This involves multiple layers of compression, Base64 encoding, and string reversal, making static analysis challenging for security researchers. Each layer must be decrypted in sequence, adding significant complexity to reverse engineering efforts. In addition, recent iterations of the pay module include XOR encryption for files uploaded via FTP, using a static key (G01d*8@() to further obfuscate data in transit. These obfuscation methods are complemented by a modular and adaptive design. Updates to the malware’s codebase are frequent, with new features and refinements being introduced in response to countermeasures by defenders. For instance, the latest versions of InvisibleFerret include a command (ssh_zcp) that specifically targets browser extensions and critical application directories such as %LocalAppData%\1Password and %AppData%\WinAuth, reflecting the attackers’ focus on harvesting high-value data.

Commands and Capabilities

InvisibleFerret’s pay module supports a wide range of commands, enabling the attackers to execute various malicious operations remotely. Key commands include ssh_obj for remote command execution, ssh_clip for collecting clipboard data, and ssh_any for downloading and configuring AnyDesk to facilitate remote access. The malware also features the ssh_env command, which collects files from specific directories—such as Documents and Downloads on Windows—and uploads them to the attackers’ servers. One of the most concerning capabilities is its ability to kill processes for specific browsers, such as Chrome and Brave, using the ssh_kill command. This allows the attackers to disrupt user activity and potentially bypass security mechanisms. Additionally, the ssh_run command enables the download and execution of the bow module, allowing attackers to dynamically expand the malware’s functionality based on operational needs.

Indicators of Compromise and Mitigation

InvisibleFerret leaves several identifiable traces on infected systems, including the creation of directories like [homepath]/.n2 and the presence of encrypted files uploaded via FTP. Network traffic to ports 1244 and 1245, as well as outbound connections to Telegram servers, can also serve as indicators of compromise (IOCs). Organizations can mitigate the risk posed by InvisibleFerret by implementing endpoint detection and response (EDR) solutions, regularly updating software to address known vulnerabilities, and employing strict controls on application downloads and execution.

Conclusion

InvisibleFerret is a testament to the Lazarus Group’s technical sophistication and adaptability in crafting advanced malware. Its modular architecture, advanced obfuscation techniques, and extensive command set make it a formidable threat to organizations and individuals alike. By understanding the technical details of how InvisibleFerret operates, security professionals can better prepare to detect and defend against this evolving threat. As Lazarus continues to refine its tools, vigilance and proactive security measures remain essential in countering their campaigns.  

References

• BeaverTail
• APT Lazarus: Eager Crypto Beavers, Video calls and Games