North Korean hackers pose as recruiters and job seekers.

Threat actors from North Korea have been linked to two campaigns. In these instances, they distribute malware and engage in unauthorized job applications with companies in the United States and other countries by pretending to be recruiters and job seekers.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

Palo Alto Networks Unit 42 has given the activity clusters the codenames Contagious Interview and Wagemole, respectively.

One set of attacks is intended to “infect software developers with malware through a fictitious job interview,” while the other is intended to be used for espionage and financial gain.
“The first campaign’s objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks,” the cybersecurity firm stated.

On the other side, the fraudulent job-seeking activity entails the hosting of resumes with fake identities that mimic people of different countries on a GitHub repository.

Two previously unreported cross-platform malware programs called BeaverTail and InvisibleFerret, which are compatible with Windows, Linux, and macOS, are made possible by the Contagious Interview attacks.

It is noteworthy that there are tactical similarities between the intrusion set and the previously documented North Korean threat activity known as Operation Dream Job. This activity entails approaching workers with possible job offers and deceiving them into downloading a malicious npm package hosted on GitHub in the course of an online interview.

“The threat actor likely presents the package to the victim as software to review or analyze, but it actually contains malicious JavaScript designed to infect the victim’s host with backdoor malware,” stated Unit 42.

The JavaScript implant BeaverTail can load and steal files from cryptocurrency wallets and web browsers. It can also deliver other payloads, such as InvisibleFerret, a Python-based backdoor with keylogging, fingerprinting, remote control, and data exfiltration capabilities.

InvisibleFerret is made to download the AnyDesk client for remote access from a server under actor control.

Microsoft issued a warning earlier this month regarding the infamous Lazarus Group sub-cluster known as Sapphire Sleet (also known as BlueNoroff), stating that as part of its social engineering campaigns, it has set up new infrastructure that mimics skills testing portals.

Threat actors from North Korea have already used fake modules in PyPI and npm. Phylum and GitHub disclosed in late June and early July 2023 the details of a social engineering operation aimed at infiltrating employees’ personal accounts of tech companies with the intention of uploading a fake npm package while pretending to be working together on a GitHub project.

Jade Sleet, also known as TraderTraitor and UNC4899, has been linked to the attacks and has also been implicated in the JumpCloud hack that occurred around the same time.
The Wagehole discovery is consistent with a recent advisory from the U.S. government that revealed North Korea’s devious tactics to evade sanctions by sending out an army of highly skilled IT workers who work for multiple companies throughout the world and then use their earnings to fund the nation’s weapons programs.

The cybersecurity company stated, “Some resumes include links to GitHub content and links to a LinkedIn profile.”

These GitHub accounts have a long history of activity and seem to be well-maintained. These accounts show regular revisions to the code and interactions with other developers.

The Wagemole operation was disclosed by Reuters, which also quoted a North Korean IT worker who recently escaped. “We would create 20 to 50 fake profiles a year until we were hired,” the worker said.

This comes after two failed attempts in May and August of this year, when North Korea claimed to have successfully launched a military spy satellite into orbit.

It also comes after another subordinate element within Lazarus, the Andariel group, linked to North Korea, launched a new attack campaign to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT through supply chain attacks using a South Korean asset management software and infiltrating vulnerable MS-SQL servers.

“Software developers are often the weakest link for supply chain attacks, and fraudulent job offers are an ongoing concern, so we expect continued activity from Contagious Interview,” said Unit 42. “Furthermore, Wagemole represents an opportunity to embed insiders in targeted companies.”