North Korean hackers are posing as job interviewers – don’t be fooled
If you are hiring or looking for a new job, be very careful who you talk to. Cybersecurity researchers from Palo Alto’s Unit 42 have discovered two separate malware campaigns – one targeting employers and the other job hunters – run by North Korean state-sponsored threat actors.
The campaign, called ‘Contagious Interview’, sees hackers posing as employers, creating fake profiles on various social media networks and trying to interest software developers in new jobs.
During the interview process (which often involves multiple steps, possibly even video interviews), the hackers had the victims download and execute files that ultimately infected their endpoints with malware.
New malware
This campaign most likely started in December last year, and given that parts of the infrastructure are still active, the campaign still poses a major threat.
The goal, according to the report, is to steal cryptocurrencies from victims and later use their endpoints as a stepping stone for new attacks.
The campaign in which hackers are looking for work is called ‘Wagemole’. The threat actors are mainly targeting American companies, says Unit 42, but they will not miss an opportunity anywhere else in the world. In the process, the attackers create multiple resumes with different technical skills, as well as multiple identities pretending to be individuals from different parts of the world. It also contains general interview questions and answers and scripts
for interviews and downloaded job vacancies from US companies.
For the attack to be successful, victims must download and run two types of previously unseen malware: one called BeaverTail and the other called InvisibleFerret. While BeaverTail is a JavaScript-based piece of malware hidden in an npm package, InvisibleFerret is a “simple but powerful” Python-based backdoor. Both examples can run on Windows, macOS, and Linux devices.