The North Korean threat actor behind the DeceptiveDevelopment campaign is supplying stolen developer information to the country’s horde of fraudulent IT workers, ESET reports.
Initially detailed in February but ongoing since at least 2023, the DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection.
Similar to Operation Dream Job, Contagious Interview, and ClickFake Interview, DeceptiveDevelopment relies on fake announcements on popular platforms such as LinkedIn, Upwork, Freelancer.com, and others to lure developers.
As part of these attacks, after the intended victim engages with the fake recruiter, they are invited to an interview during which they are tricked into executing malware on their systems.
With most of these attacks targeting cryptocurrency developers, previous research suspected that the purpose of these attacks was financial gain, either through stealing the victim’s cryptocurrency assets or through infiltrating the organizations they were working for.
According to ESET, these campaigns serve a secondary purpose as well: the fake recruiters harvest developer identities and hand them over to groups associated with fraudulent North Korean IT workers, which use the information to pose as job seekers and land remote work at unsuspecting companies.
“To secure a real job position, they may employ several tactics, including proxy interviewing, using stolen identities, and fabricating synthetic identities with AI-driven tools,” ESET notes.
Using social engineering and fake recruiter profiles, the threat actor behind DeceptiveDevelopment offers fake lucrative job opportunities, aimed at infecting victims’ systems with malware such as BeaverTail, InvisibleFerret, and OtterCookie.
Last year, the attackers were seen using WeaselStore (an infostealer and backdoor also known as GolangGhost and FlexibleFerret), its Python variant PylangGhost, and TsunamiKit, a complex .NET spyware that also drops cryptocurrency miners.
In April this year, the threat actor was seen deploying Tropidoor, which shares significant code with Lazarus’ PostNapTea RAT. In August, AkdoorTea, a variant of Akdoor, was seen.
ESET’s investigation into DeceptiveDevelopment revealed a tight collaboration with North Korea’s network of fraudulent IT workers, which the cybersecurity firm tracks as WageMole.
“Although these activities are conducted by two different groups, they are most likely connected and collaborating,” the cybersecurity firm notes in a research paper (PDF).
Operating in teams, the IT workers focus on obtaining work in western countries, mainly in the US. In Europe, they target France, Poland, Ukraine, and Albania.
“Each team has a dedicated ‘boss’ – a leader who oversees the team’s operation, sets quotas for the team members, and coordinates their work. The members have a number of responsibilities: acquiring work, completing work tasks, and self-education to improve their skillsets,” ESET notes.
The North Korean IT workers, the cybersecurity firm says, do not focus solely on finding programming jobs. Some of them venture into civil engineering and architecture, impersonating real companies and engineers and producing engineering drawings with falsified approval stamps.
“They also focus on self-education and report studying freely available online materials and tutorial sites, mostly focusing on web programming, blockchain, the English language and, in recent years, the integration of AI into various web applications,” ESET says.
Related: US Sanctions Russian National, Chinese Firm Aiding North Korean IT Workers
Related: RaccoonO365 Phishing Service Disrupted, Leader Identified
Related: Applying the OODA Loop to Solve the Shadow AI Problem
Related: Burn and Churn: CISOs and the Role of Cybersecurity Automation
