Freelance software developers are targeting an ongoing campaign that leverages job interview-themed lures to offer a cross-platform malware family known as Beavertail and Invisibleferret.
The activities linked to North Korea are known as Codeptedivedeververment. This overlaps with the clusters tracked by the infectious interview (aka CL-STA-0240), Dev #Popper, the famous Chollima, Purplebravo, and tenacious Pungsan. The campaign has been underway since at least the second half of 2023.
“Through spear phishing on job hunting and freelance sites, “Exempt development targets freelance software developers with the aim of stealing cryptocurrency wallets and login information from browsers and password managers.” cybersecurity company ESET said in a report shared with Hacker News.
In November 2024, ESET confirmed the overlap of exemption development and contagious interviews in Hacker News, and classified it as a new Lazarus Group activity that operates with the aim of carrying out cryptocurrency theft.
The attack chain is characterized by using fake recruiter profiles on social media to reach out to future targets and share a Trojanization codebase hosted on GitHub, Gitlab, or Bitbucket.
Subsequent iterations of the campaign have forked to other recruitment platforms such as Upwork, freelancer.com. As previously highlighted, these employment challenges usually involve fixing bugs or adding new features to crypto-related projects.
Apart from code testing, fake projects pose as cryptocurrency initiatives, games with blockchain capabilities, and gambling apps with cryptocurrency capabilities. Malicious code is often embedded in benign components in a single line.
“In addition, they are instructed to build and run the project to test it, where the first compromise occurs,” said security researcher Matěj Havránek. “The repository used is usually private, so VIC-M will be asked to provide your account ID or email address first.
The second method used to achieve an early compromise revolves around tricking victims and installing malware-covered video conferencing platforms such as Mirotalk and FreeConference.
Both Beavertail and Invisibleferret have information-based capabilities, but the former serves as a downloader for the latter. Beavertail also comes in two flavors: a JavaScript variant that can be placed within Trojanized Projects, and a native version built using a QT platform that disguises conferencing software.
InvisibleFerret is a modular Python malware that retrieves and runs three additional components.
It acts as a backdoor that can collect information and accept remote commands from servers controlled by attackers, log keystrokes, capture clipboard content, execute shell commands, remove files, and is mounted. It will install data from the drive and collect information from AnyDesk and the browser module that installs browsers, as well as browser extensions and password managers. It is responsible for stealing login data, autofill data, and stored payment information Chromium-based browsers such as Chrome, Brave, Opera, Yandex, Edge ADC.
ESET is a software developer working in cryptocurrency and decentralized financial projects around the world, and is a major in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine and the US He said that concentrations have been reported.
“Attackers don’t distinguish based on geographic location, and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.
This is also proven by the obvious poor coding practices adopted by operators, ranging from the failure to delete development notes to the local IP addresses used for development and testing, and the intrusion set does not worry about stealth. indicates.
The use of employment interview decoys is a classic strategy adopted by various North Korean hacking groups, most notably a long-term campaign called Operation Dream Jobs.
Additionally, it is involved in fraudulent IT workers schemes in which North Korean citizens apply for employment abroad under false identities to extract normal salaries as a way to fund administration priorities. There is evidence to suggest that.
“The Deceptividedevelopment Cluster has been added to the already large collection of gold-making schemes adopted by actors allied with North Korea, and follows the ongoing trend of shifting focus from traditional money to cryptocurrency. There is,” Eset said.
“During our research, we have shown that it will go from primitive tools and techniques to more sophisticated and capable malware, as well as more sophisticated techniques to seduce victims and deploy malware. I observed it.”
Source link
