A Group from North Korea Creates False Crypto Companies in Deceptive Employment Center Scam
For nearly a span of two years, groups focused on threat intelligence have been monitoring the continuing Contagious Interview initiative conducted by a threat group sponsored by North Korea that employs counterfeit job interviews to entice targets in
For nearly a span of two years, groups focused on threat intelligence have been monitoring the continuing Contagious Interview initiative conducted by a threat group sponsored by North Korea that employs counterfeit job interviews to entice targets into installing malicious software on their systems. The advanced persistent threat (APT) operatives orchestrating the intricate scam – also recognized as Famous Chollima – have been characterized by some as a subdivision of the infamous Lazarus Group, managed by the Democratic People’s Republic of Korea (DPRK), or possibly as the group itself. Researchers from Palo Alto Networks’ Unit 42 initially detailed the initiative back in November 2023, and since then, analysts from Unit 42 and other cybersecurity companies – like SentinelOne and Group-IB – have been monitoring the developments of the APT group’s initiative, including the malicious software introduced by the attackers.
This current week, experts from the cyber intelligence firm Silent Push revealed that the ever-evolving Contagious Interview has introduced a new variation to the scheme, establishing three phony cryptocurrency enterprises as a facade to operate the scam, once again leveraging the attraction of bogus job offers to persuade victims to download variances of malware named BeaverTail, InvisibleFerret, and OtterCookie. Announcements for Non-Existent Jobs In a statement, the researchers at Silent Push mentioned that the Contagious Interview crew established the three cryptocurrency firms — BlockNovas LLC, Angeloper Agency, and SoftGlide LLC – and subsequently posted job positions on authentic online platforms like CryptoJobsList, CryptoTask, Freelance, and Upwork to draw in individuals seeking opportunities in the crypto sector. Additionally, the threat group scoured GitHub repositories to locate unsuspecting victims.
Moreover, Contagious Interview employed AI-generated visuals – some of which were produced using the legitimate Remaker AI editing software – to fabricate profiles of non-existent staff members for each enterprise. “Contagious Interview has availed themselves of services like Astrill VPN and residential proxies to obscure their infrastructure and operations, heightening the challenge of detection, and our team has observed a new strategy that extensively incorporates AI-generated visuals,” the researchers noted. ‘Suspicious Signs’ One of the dummy firms, BlockNovas – which Silent Push identified as the most active among the front entities – allegedly boasts 14 staff members, although many of the identities seem to be AI-generated. “One of the purported fabricated identities was even witnessed undertaking ‘gig development work,’ though it remains uncertain if they exploited their privileges during these gigs,” as per the researchers. They added that “it is impossible to verify the authenticity of all the employees, as some might be engaged in different auxiliary roles.” Notwithstanding, the researchers highlighted “suspicious signs” identified during their analysis, leading them to believe that several identities were fictional. When an individual submits an application to a false job listing, they receive documents purportedly pertaining to the interview which, in reality, contain malware with the potential to pilfer data or cryptocurrency from victims. Probing into BlockNovas The report from Silent Push intricately examined the operations of BlockNovas, stressing that the domain was registered in July 2024 through NameCheap with an address in Warrenville, South Carolina, situated alongside a residential street. The listed company contacts – Mehmet Demir and Ramon Mckenzie – utilize the identical address and seem to be fabricated. The malevolent actors established accounts on platforms such as LinkedIn, Facebook, and X (previously known as Twitter), where they also distributed links to their deceitful job postings. On the BlockNovas site, the perpetrators displayed names of fictional staff members with pictures of at least two actual individuals having different names and no connection to the company. Several other warning signs observed by the researchers included an AI-generated image of Mehmet Demir linked with all three of the phony firms. Employment Application Form An application form for employment on BlockNovas encompassed multiple phases leading up to the ultimate enticement, soliciting details such as the applicant’s location, the kind of job sought – whether full-time or part-time – proficiency in English, work experience, and social media profiles. Candidates were also required to furnish a brief introductory video. “In the event that the job applicant, also identified as the intended victim, clicked any of the call-to-action buttons, a pop-up message would appear stating ‘Access to your camera or microphone is presently restricted’ along with a ‘ClickFix’ copy-and-paste lure,” the researchers expounded. “If the command instigated by the lure was executed on a Windows, Mac, or Linux system, it would execute the malware.” BeaverTail is scripted in JavaScript and employed for data thievery and deploying malware, whereas InvisibleFerret serves as spyware and a backdoor. OtterCookie is exploited for data thievery and pilfering cryptocurrency wallet keys. North Korean units endorsed by the state are recognized for orchestrating scams involving IT professionals, enticing unsuspecting victims to apply for non-existent jobs – much like in the case of Contagious Interview – or having operatives impersonate genuine IT professionals who secure positions at authentic companies to purloin information or finances, which are then channeled back to the nation’s rulers for evading global sanctions by supporting numerous weapons programs.
About Author
