North Korean Hackers Posing as Job Recruiters and Seeking Malware Campaigns

Nov 22, 2023NewsroomCyber ​​Espionage / Social Engineering

Hackers in North Korea

North Korean threat actors are involved in two campaigns in which they pose as both job recruiters and seek to distribute malware and obtain unauthorized employment in US-based organizations and other parts of the world.

The activity clusters are codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42.

While the first set of attacks aims to “infect software developers with malware through a fictitious job interview,” the latter is designed for financial gain and espionage.

“The purpose of the first campaign is likely to steal cryptocurrency and use compromised targets as an environment for further attacks,” the cybersecurity company said. SAYS.

Fraudulent job search activity, on the other hand, involves using a GitHub repository to host resumes with fake identities pretending to be individuals of different nationalities.

The Infectious Interview attacks paved the way for two hitherto undocumented cross-platform malware named BeaverTail and InvisibleFerret that can be used on Windows, Linux, and macOS systems.


It’s worth noting that the intrusion set shares tactical overlap with a previously reported North Korean threat activity called Operation Dream Job, which involved approaching employees with potential job offers and deception. them to download a malicious npm package hosted on GitHub as part of an online interview.

“The threat actor likely presents the victim’s package as software to review or analyze, but it actually contains malicious JavaScript designed to infect the victim’s host with backdoor malware,” Unit 42 said.

BeaverTail, the JavaScript implant, is a thief and a loader with capabilities to steal sensitive information from web browsers and crypto wallets, and deliver additional payloads, including InvisibleFerret, a Python-based backdoor with fingerprinting, remote control, keylogging, and data. exfiltration features.

InvisibleFerret is also designed to download the AnyDesk client from an actor-controlled server for remote access.

Earlier this month, Microsoft warned that a nefarious Lazarus Group sub-cluster called Sapphire Sleet (aka BlueNoroff) was building new infrastructure impersonating skills assessment portals as part of campaigns in social engineering.

Hackers in North Korea

This is not the first time that North Korean threat actors have abused bogus npm and PyPI modules. In late June and July 2023, Phylum and GitHub detailed a social engineering campaign targeting the personal accounts of employees working at technology companies with the intent of installing a fake npm package under a collaboration project on GitHub.

The attacks were attributed to another cluster known as Jade Sleet, which is also called TraderTraitor and UNC4899, and has since been linked to the JumpCloud hack that happened around the same time.

The Wagehole discovery echoes a recent advisory from the US government, which revealed North Korea’s trickery to beat sanctions by sending in an army of highly skilled IT workers who get jobs in many companies around the world and returned their salaries to fund the country’s weapons programs.

“Some resumes include links to a LinkedIn profile and links to GitHub content,” the cybersecurity company said.


“These GitHub accounts appear to be well maintained and have a long history of activity. These accounts indicate frequent code updates and interaction with other developers. As a result, these GitHub accounts are almost indistinguishable from legitimate accounts.”

“We would create 20 to 50 fake profiles a year until we were hired,” a North Korean IT worker recently defected. was quoted as saying to Reuters, which also shared details of the Wagemole campaign.

The development comes as North Korea MANILA that it has successfully put a military spy satellite into space, after two unsuccessful attempts in May and August of this year.

It also follows a new attack campaign orchestrated by the North Korean-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as through attacking the supply chain with asset management software in South Korea.

“Software developers are often the weakest link for supply chain attacks, and fraudulent job offers are an ongoing concern, so we expect continued activity from Contagious Interview,” said Unit 42. “Furthermore, Wagemole represents an opportunity to embed insiders in target companies.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment