Fake Web3 job recruiters associated with North Korea are targeting job seekers online in a new cyber threat that involves tricking individuals into downloading malware that pretends to be a video call application. This malicious software is capable of stealing digital funds from various cryptocurrency wallets, such as MetaMask, BNB Chain, Exodus, Phantom, and more. The cyber risk team Unit 42 from Palo Alto Networks has identified these North Korean threat actors as likely being financially motivated to support the DPRK regime. The attackers reach out to software developers on job search platforms, posing as recruiters for online interviews, and convincing victims to install the malware under the guise of a video chat app.
The attackers operate by contacting tech industry job seekers and persuading them to download and execute the malware, which then works in the background to collect sensitive information and cryptocurrency. In a recent incident, a fake recruiter named “Onder Kayabasi” targeted a full stack software engineer through LinkedIn, prompting the victim to run the malicious code in a virtual environment as a precaution. The malware, known as the BeaverTail downloader and InvisibleFerret backdoor, has undergone updates to steal browser passwords in macOS and cryptocurrency wallets on Windows and macOS. This sophisticated threat campaign aims to infect, steal information, and digital assets from individuals in the cryptocurrency, blockchain, cybersecurity, and online gambling sectors.
Unit 42 has been monitoring the activities of these threat actors since November 2023, initially identifying the “Contagious Interview campaign” that has since evolved with new iterations. The attackers utilize the Qt cross-platform framework to develop malware that can simultaneously target both Windows and macOS systems. The newly updated BeaverTail malware targets 13 different cryptocurrency wallet browser extensions, expanding from the previously recorded 9 wallets. These extensions include popular wallets like MetaMask, BNB Chain, Exodus, TronLink, and more, demonstrating the attackers’ financial interests in stealing crypto funds. Additionally, the attackers employ the InvisibleFerret backdoor to maintain control of infected devices and exfiltrate sensitive data, posing a significant risk to both individuals and organizations targeted in this campaign.
The potential infiltration of companies that employ the targeted job seekers is a major concern highlighted in Unit 42’s report, emphasizing the need for awareness and protection against these advanced social engineering tactics. Individuals and organizations are advised to be cautious of unsolicited contact from recruiters, especially if it involves downloading unfamiliar applications or running suspicious code. By implementing security measures and staying informed about evolving cyber threats, individuals can safeguard themselves and their organizations from falling victim to such malicious activities. Unit 42’s report offers practical guidelines for protection and mitigation against these sophisticated attack campaigns, underscoring the importance of staying vigilant in the ever-changing landscape of cybersecurity.
