Malware

Beavertail

IoCs CSV 2 YARA rules

Indicators of Compromise 17

MITRE ATT&CK TTPs 17

YARA Detection Rules

Beavertail_YARA_Detection
yara ai_generated
rule Beavertail_Detection {
    meta:
        description = "Detects presence of Beavertail malware used in npm supply chain attacks by Lazarus-linked actors"
        author = "AI Generated"
        threat_actor = "Lazarus"
        malware_family = "Beavertail"
        ttps = "T1195.002, T1555, T1059.007, T1071.001, T1027, T1082, T1005, T1566, T1071, T1114, T1056.002, T1056.001"
        ioc_domains = "jsonkeeper.com"
        ioc_ips = "216.126.236.244, 142.93.211.30"
        ioc_packages = "rollup-packages-polyfill-core, rollup-runtime-polyfill-core, quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, swift-parse-stream, express-session-js, security-alerts-sdk, events-runtime, o3forms"
        ioc_github = "marketfront"
        ioc_registry_user = "marketfront"

    strings:
        $pkg1 = "rollup-packages-polyfill-core" ascii wide
        $pkg2 = "rollup-runtime-polyfill-core" ascii wide
        $pkg3 = "quirky-token" ascii wide
        $pkg4 = "react-icon-svgs" ascii wide
        $pkg5 = "rollup-plugin-polyfill-connect" ascii wide
        $pkg6 = "swift-parse-stream" ascii wide
        $pkg7 = "express-session-js" ascii wide
        $pkg8 = "security-alerts-sdk" ascii wide
        $pkg9 = "events-runtime" ascii wide
        $pkg10 = "o3forms" ascii wide

        $repo_url = "github.com/marketfront" ascii wide nocase
        $registry_user = "npmjs.com/~marketfront" ascii wide
        $malicious_domain = "jsonkeeper.com" ascii wide nocase

        $exfil_ip1 = "216.126.236.244" ascii wide
        $exfil_ip2 = "142.93.211.30" ascii wide

        $cmd_exec = "child_process.exec" ascii wide
        $cmd_spawn = "child_process.spawn" ascii wide
        $env_collect = "$env" ascii wide
        $credential_files = "package-lock.json" ascii wide
        $credential_files2 = ".npmrc" ascii wide
        $credential_files3 = ".git-credentials" ascii wide
        $credential_files4 = "id_rsa" ascii wide
        $exfiltrate_func = "uploadData" ascii wide
        $beacon_func = "sendHeartbeat" ascii wide
        $interactive_shell = "createInteractiveShell" ascii wide

        $anti_sandbox1 = "process.env.CI" ascii wide
        $anti_sandbox2 = "require('vm')" ascii wide
        $anti_sandbox3 = "isDocker" ascii wide

    condition:
        uint8(0) == 0x7f and uint8(1) == 0x45 and uint8(2) == 0x4c and uint8(3) == 0x46
        or
        uint16(0) == 0x4d5a or uint16(0) == 0x5a4d
        or
        (any of ($pkg*) or $registry_user or $repo_url) and
        ($malicious_domain or $exfil_ip1 or $exfil_ip2) and
        ($cmd_exec or $cmd_spawn or $interactive_shell) and
        ($credential_files or $credential_files2 or $credential_files3 or $credential_files4) and
        ($exfiltrate_func or $beacon_func) and
        ($anti_sandbox1 or $anti_sandbox2 or $anti_sandbox3)
}
Beavertail_YARA_Detection
yara ai_generated
rule Beavertail_Detection {
    meta:
        description = "Detects Beavertail malware associated with North Korean threat actors in the PolinRider operation targeting cryptocurrency developers"
        author = "AI Generated"
        threat_actor = "Contagious Interview"
        campaign = "PolinRider"
        malware_family = "Beavertail"
        ttps = "T1059.001, T1071.003, T1003, T1482, T1490"
        ioc_package = "npm:rollup-polyfill"
        ioc_github = "OpenSourceMalware"

    strings:
        $s1 = "eval" wide ascii
        $s2 = "Function" wide ascii
        $s3 = "atob" wide ascii
        $s4 = "process.binding" wide ascii
        $s5 = "child_process" wide ascii
        $s6 = "exec" wide ascii
        $s7 = "setInterval" wide ascii
        $s8 = "WebSocket" wide ascii
        $s9 = "crypto" wide ascii
        $s10 = "require" wide ascii
        $s11 = "vscode" wide ascii
        $s12 = "tasks.json" wide ascii
        $s13 = "runCommand" wide ascii
        $s14 = "git push" wide ascii
        $s15 = "origin main --force" wide ascii
        $s16 = "localStorage" wide ascii
        $s17 = "location.href" wide ascii
        $s18 = "chrome-extension" wide ascii
        $s19 = "getEnvironmentVariable" wide ascii
        $s20 = "decodeURIComponent" wide ascii
        $m1 = "function decryptPayload" wide ascii
        $m2 = "fetch(\"https://api.github.com/repos/OpenSourceMalware" wide ascii
        $m3 = "npm:rollup-polyfill" wide ascii
        $m4 = "malicious task" wide ascii nocase
        $m5 = "auto-push" wide ascii nocase

    condition:
        uint8(0) == 0x7F and uint32(1) == 0x454C46 and $s10 and $m3 or
        (any of ($s*) or any of ($m*)) and
        (filesize < 500KB) and
        (uint8(0) == 0x2F and uint8(1) == 0x2A or uint8(0) == 0x3C and uint8(1) == 0x21 or uint8(0) == 0x66 and $s1)

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles