DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

November 21, 2023 at 04:18PM

North Korean threat actors are engaging in deceptive tactics on the internet, posing as both job recruiters and job seekers. Palo Alto Networks’ Unit 42 has identified two ongoing campaigns, “Contagious Interview” and “Wagemole”, where the threat actors lure unsuspecting applicants into installing sophisticated malware or impersonate applicants to gain access to Western organizations. This creative social engineering technique is aimed at bypassing traditional phishing methods and presents a significant risk for companies as these actors could potentially have access to source code. Companies must remain vigilant in verifying the identities of their hires to avoid falling victim to these schemes.

The meeting notes discuss two ongoing campaigns conducted by North Korean threat actors, known as “Contagious Interview” and “Wagemole.” In the Contagious Interview campaign, the threat actors pose as employers and post fake job openings. They engage with unsuspecting applicants and, during the vetting process, trick them into installing sophisticated infostealers. On the other hand, in the Wagemole campaign, the threat actors impersonate job seekers and apply for positions at established organizations to gain access. These elaborate ruses aim to create more believable social engineering scenarios than traditional phishing emails.

The DPRK has a history of engaging in creative espionage and financial cybercrime. They have previously posed as recruiters for high-tech jobs, enticing developers into long engagements that result in malware attacks. There have been cases where such attacks have led to significant theft, such as the heist of Axie Infinity. Since then, the threat actors behind Contagious Interview have been attempting to repeat that success.

In the Contagious Interview campaign, the threat actors post vague job openings and invite applicants to online interviews. During these interviews, the actors send the applicants an npm-based package containing a JavaScript-based infostealer known as “Beavertail.” This infostealer targets system information, credit card details, and cryptocurrency wallet information stored in the victim’s browser. It also retrieves and runs a Python-based backdoor called “InvisibleFerret,” which can perform various malicious activities on the compromised computer.

It is worth noting that the main purpose of these malware attacks may not be solely monetary theft or espionage. By infecting individuals who may later work elsewhere, the threat actors can gain a foothold within a company’s supply chain. This poses a significant risk to organizations, as state-sponsored actors can access their systems through former employees who unknowingly carry the malware.

The threat actors from North Korea have also been known to pose as job applicants seeking remote work in the tech sector. They create fake personas and use false resumes, email addresses, social media profiles, and websites to secure employment. These individuals then funnel their earnings back to the Kim regime. The researchers investigating the Contagious Interview campaign discovered evidence of these schemes, including detailed accounts on GitHub and LinkedIn, scripts for phone interviews, and stolen US permanent resident cards.

It remains uncertain how many of these fake IT workers have established long-standing relationships with companies. However, the US Department of Justice has urged companies to be vigilant and verify the identities of their hires to avoid falling victim to such schemes. The risks associated with hiring employees with fake identities go beyond embarrassment, as having a state-sponsored actor inside an organization’s environment can pose significant security risks. Moreover, in the case of software developers, their access to source code further amplifies the potential threats.

Full Article