North Korean state-sponsored criminals are once again staging fake job interviews in an attempt to infect unsuspecting victims with infostealing malware. This time, however, they’re targeting Apple users.
Cybersecurity researcher Patrick Wardle recently discovered a new variant of BeaverTail, a well-known infostealer that can steal sensitive information from web browsers (including Google Chrome, Brave, and Opera), cryptocurrencies, credentials, iCloud Keychain, and more. BeaverTail can also act as a dropper, deploying the InvisibleFerret backdoor for persistent remote access.
The malware was given a filename “MiroTalk.dmg”, in an attempt to trick people into thinking they were downloading the MiroTalk video calling service. DMG is an Apple macOS disk image file.
“Cunning gang”
“If I had to guess, the North Korean hackers likely approached their potential victims with a request to participate in a job interview by downloading and running the (infected version of) MiroTalk hosted on mirotalk(.)net,” Wardle said.
This isn’t the first time North Korean hackers have run fake job campaigns. The infamous Lazarus Group has been caught running them multiple times, and at one point even managed to steal around $600 million from a cryptocurrency bridge project after tricking a developer in this way.
What makes this campaign interesting is that BeaverTail was previously distributed via malicious npm packages hosted on GitHub and npm.
“The North Korean hackers are a cunning group that are quite adept at hacking macOS targets, although they often rely on social engineering (and are therefore not very technically impressive),” Wardle said.
In other words, the best way to stay safe is to be wary of incoming job offers, especially if they sound too good to be true. Whenever someone reaches out, whether on LinkedIn or elsewhere, always do your due diligence and run a background check on the hiring company and the people leading the hiring process.
Through TheHackerNews