Hackers target job seekers primarily for financial gain and to obtain sensitive personal information.
Many job seekers are vulnerable due to their enthusiasm for finding employment, which exposes them to phishing scams and fake job postings.
Cybersecurity analysts at Palo Alto Networks recently discovered that North Korean hackers have been actively attacking job seekers to deploy multiple malware.
North Korean Hackers Posing as Recruiters
Researchers found that North Korean hackers (tracked as “CL-STA-240 Contagious Interview campaign”) who are targeting technology industry job seekers via sophisticated “social engineering” attacks.
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
Threat actors pose as recruiters on professional platforms like “LinkedIn” by conducting “fake online interviews” to distribute two primary types of malware:-
.webp)
- BeaverTail downloader
- InvisibleFerret backdoor
The latest version of BeaverTail has been developed using the “Qt framework” for cross-platform compatibility.
This variant targets both Windows (“.msi files”) and macOS (“.dmg files”) OS by masquerading as legitimate applications like “MiroTalk” and “FreeConference.”
Besides this, it has enhanced capabilities like ‘browser password theft,’ ‘cryptocurrency wallet targeting’ (expanding from 9 to 13 different wallet extensions), and ‘data exfiltration through C2 servers,’ notably using the IP address 95.164.17[.]24 on port 1224.
After a successful infection, BeaverTail installs Python programming to deploy the InvisibleFerret backdoor. This operates stealthily while presenting a fake GUI to victims, making the attack tricky across multiple platforms.
The “InvisibleFerret” Python backdoor is a sophisticated malware architecture that comprises three interconnected components.
Here below, we have mentioned those three “interconnected components”:-
- An initial downloader module that establishes the infection by retrieving additional payloads.
- A primary payload component equipped with advanced capabilities (“endpoint fingerprinting,” “remote system control,” “keylogging functionality,” “sensitive file exfiltration,” and “on-demand AnyDesk client deployment for enhanced remote access.”).
- A specialized browser stealer component designed to harvest browser credentials and payment card information.
.webp)
This malware has evolved through multiple versions, showing code refinements in its “ssh_cmd function” and “ss_ufind subcommand.”
These refinements now use “Windows findstr” and “macOS find commands” for optimized file pattern searching.
This set of malware poses significant risks to both individual users and corporate networks through their comprehensive capabilities and potential for lateral movement within compromised organizations.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)