North Korean Hackers Employing New Tactic To Acquire Remote Jobs


Hackers increasingly target remote workers by exploiting vulnerabilities arising from the shift to telecommuting.

They use tactics like “voice phishing” (vishing) to gain access to corporate networks. They impersonate IT staff and trick employees into providing sensitive information via fake login pages.

SIEM as a Service

Zscaler researchers recently discovered that North Korean hackers are actively employing new tactics to acquire remote jobs.

North Korean Hackers & Remote Job

North Korean cyber threat actors directed two sophisticated campaigns in November 2023 that were dubbed “Contagious Interview” and “WageMole.” These two campaigns were designed to evade the international financial sanctions. 

North Korean Hackers Employing New Tactic To Acquire Remote Jobs
Relationship between the Contagious Interview and WageMole campaigns (Source – Zscaler)

The “Contagious Interview” initially lured victims via fake job postings on platforms like Freelancer to target “full-stack developers,” “cryptocurrency experts,” and “AI specialists.” 

Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar

The attackers deployed two main malware components:- 

  • BeaverTail: A JavaScript-based malware that uses advanced obfuscation techniques and dynamic loading.
  • InvisibleFerret: A Python-based backdoor that has keylogging capabilities.
North Korean Hackers Employing New Tactic To Acquire Remote Jobs
BeaverTail and InvisibleFerret infection chain (Source – Zscaler)

These tools were distributed via malicious “NPM packages,” “Windows Installers,” and “macOS applications” disguised as chat software. 

North Korean Hackers Employing New Tactic To Acquire Remote Jobs
Contagious Interview campaign, which utilizes InvisibleFerret to exfiltrate data from a victim (Source – Zscaler)

In August 2024, the InvisibleFerret’s functionality expanded to include the “ssh_zcp” command for “stealing browser extensions,” “cryptocurrency wallet data,” and “password manager information.” 

All this information is compressed with AES encryption using “py7zr.SevenZipFile” (for Windows) or “pyzipper.AESZipFile” (for non-Windows systems). 

The malware used the “/uploads URI” to exfiltrate data via “HTTP protocols” instead of “FTP servers” and also gained “remote control” by installing “AnyDesk” clients.

This operation breached “140” devices split between the “Windows OS” (50%), “Linux” and “Mac” platforms targeting developers based in:-

  • India
  • Pakistan
  • Kenya
  • Nigeria
  • Spain
  • Russia

Here, the stolen identities were later used during the “WageMole” campaign to impersonate and secure remote positions in Western companies to achieve their sanctions evasion strategy.

North Korean Hackers Employing New Tactic To Acquire Remote Jobs
Operational process of WageMole campaign is organized into stages (Source – Zscaler)

These operatives carefully generate false legal identities with AI-edited documents and create extensive portfolios as full-stack developers with skills that include Spring Boot, React/Next.js, Laravel, Symfony, Node.js, TypeScript, WordPress, and ASP.NET.

Being present on LinkedIn, Indeed, Glassdoor, and Upwork, they also managed their development process by keeping GitHub accounts and reading Zscaler report.

Such repositories are in their system pattern in which they participated in the development of both the frontline and backend staff in the implementation of the work, especially in relation to projects on cryptocurrencies, “D:WorkCryptoCrypo-backendapp” and “D:WorkCryptoCrypto-frontend.”

To raise suspicion during interviews, they resort to AI voice-over for technical questions about React.JS, Flutter, Backend API, and even prepare and document comprehensively how Agile/Scrum works.

These operatives’s targets are observed to be small to medium enterprises in different industries, “IT,” “Healthcare,” “Retail,” and “Financial Services” and use Skype to conduct the interview while pretending to be in the USA.

They share code snippets among themselves, and payment seems to come via Euro banks or “Paypal/Payoneer” and usually are about 48,000 EUR per year, but if employed full time then 12 EUR per hour contracted for, all of which are made possible due to their technical skills for avoiding global sanctions.

Recommendations

Here below we have mentioned all the recommendations:-

  • Monitor executions/connections tied to IOCs.
  • Don’t save sensitive data in plain text.
  • Avoid insecure storage of personal details.
  • Be cautious with unknown contacts.
  • Run suspicious files in virtual environments.
  • Monitor IOC-listed email and social contacts.
  • Directly verify candidates’ employment history.
  • Limit new hires’ access during probation.
  • Conduct thorough background checks.
  • Verify applicants’ work locations.
  • Authenticate ID documents to prevent fraud.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Source link