September 4, 2024 at 12:21PM
North Korean threat actors have created a malicious campaign called Contagious Interview, using fake job interviews to distribute malware. They have now been using fake video conferencing applications to backdoor developer systems. This activity is attributed to the North Korean threat actor Famous Chollima. The campaign is targeting job seekers and has evolved to target cryptocurrency and gaming platforms. The U.S. FBI has issued a warning about North Korean cyber actors targeting the cryptocurrency industry using sophisticated social engineering attacks.
Based on the meeting notes, here are the key takeaways:
1. North Korean threat actors have orchestrated a malicious campaign known as Contagious Interview (or DEV#POPPER) targeting job seekers. The attack involves tricking victims into downloading a Node.js project, which contains the BeaverTail downloader malware, and subsequently delivers a Python backdoor called InvisibleFerret. The attack is financially motivated and also involves the use of fake job interviews as a lure.
2. The attackers have used various distribution mechanisms, including leveraging fake installers masquerading as legitimate video conferencing software such as MiroTalk and FreeConference.com. The latest findings attribute the campaign to the Lazarus Group and suggest that the threat actors are actively refining their tactics.
3. In addition to LinkedIn, the threat actors have been actively searching for potential victims on other job search platforms such as WWR, Moonlight, and Upwork. They have been using social engineering tactics to move the conversation onto platforms like Telegram and then directing potential victims to download malicious applications as part of the interview process.
4. The attack campaign has seen active refinement, with the threat actors injecting malicious JavaScript into cryptocurrency- and gaming-related repositories. There is evidence of the threat actors using different propagation vectors, such as npm packages, to distribute malware.
5. Notable changes in the campaign include the targeting of more cryptocurrency wallet extensions and the use of a modularized approach with the emergence of CivetQ, a set of Python scripts capable of extensive information stealing from browser extensions, including Microsoft Sticky Notes.
6. The campaign is being actively developed and has evolved incrementally over the past few months. The FBI has issued a warning about North Korean cyber actors aggressively targeting the cryptocurrency industry through “well-disguised” social engineering attacks.
7. The FBI advisory highlights the sophisticated nature of North Korean social engineering schemes, which involve scouting and socially engineering employees of targeted DeFi or cryptocurrency-related businesses to gain unauthorized network access.
These takeaways provide a comprehensive overview of the ongoing malicious campaign orchestrated by North Korean threat actors, shedding light on their tactics, targets, and the actively evolving nature of their attacks.