Palo Alto Networks' Unit 42 has detailed a pair of job market hacking schemes linked to state-sponsored actors in North Korea: one in which the threat actors pose as job seekers, the other as would-be employers.
One of the schemes, named Contagious Interview, sees threat actors pose as potential employers to lure software engineers into downloading malware-laden Node Package Manager (NPM) packages from GitHub.
The other, called Wagemole, sees threat actors pretend to be jobseekers as part of a ruse aimed at both financial gain and espionage.
Unit 42 said it had "moderate confidence" that Contagious Interview was run by a North Korea state-sponsored actor and "high confidence" that Wagemole is one of the Hermit Kingdom’s campaigns.
Infrastructure for Contagious Interview started appearing in December 2022. The threat actors pose as recruiters for real and imaginary companies, and advertise on job boards for role sin fields including AI, cryptocurrency, or NFTs.
The scammers then invite targets for online interviews. The fake interviewer asks the applicant to download a GitHub package, presumably so the candidate can review or analyze the content. And voilà, info-stealers are installed on software engineers’ systems perhaps allowing access to whatever they’re working on for their current employer, or just personal information.
The researchers discovered two previously unknown malware families used by the Contagious Interview crew: a JavaScript-based info-stealer and loader hiding inside NPM packages that Unit 42 named BeaverTail, and a Python-based backdoor the group called InvisibleFerret.
BeaverTail targets basic information plus details of credit cards and crypto wallets stored by browsers. InvisibleFerret can keylog credentials, exfiltrate data, facilitate remote access and even download AnyDesk RMM – a remote management utility.
Contagious Interview was discovered by Unit 42 by perusing customer telemetry. The threat-hu ..
Support the originator by clicking the read the rest link below.
