North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world.
The activity clusters have been codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42.
While the first set of attacks aims to "infect software developers with malware through a fictitious job interview," the latter is designed for financial gain and espionage.
"The first campaign's objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks," the cybersecurity company said.
The fraudulent job-seeking activity, on the other hand, involves the use of a GitHub repository to host resumes with forged identities that impersonate individuals of various nationalities.
The Contagious Interview attacks pave the way for two hitherto undocumented cross-platform malware named BeaverTail and InvisibleFerret that can run on Windows, Linux, and macOS systems.
It's worth noting that the intrusion set shares tactical overlaps with previously reported North Korean threat activity dubbed Operation Dream Job, which involves approaching employees with potential job offers and tricking them into downloading malicious tools – a rogue npm package hosted on GitHub, in this case – as part of an online interview.
"The threat actor likely presents the package to the victim as software to review or analyze, but it actually contains malicious JavaScript designed to infect the victim's host with backdoor malware," Unit 42 said.
BeaverTail, the JavaScript implant, is a stealer and a loader that comes with capabilities to steal sensitive information from web browsers and crypto wallets, and deliver additional payloads, including InvisibleFerret, a Python-based backdoor with fingerprinting, remote control, keylogging, and data exfiltration features.
InvisibleFerret is also designed to download the AnyDesk client from an actor-controlled server for remote access.
"There is no evidence to support links between Contagious Interview and Operation Dream Job," Michael Sikorski, vice president and CTO of Palo Alto Networks Unit 42, told The Hacker News. "They are treated as disparate campaigns. It's true that there is a TTP overlap with the use of social engineering techniques focusing on job seekers as the initial attack vector."
"Contagious Interview is focused on targeting developers, mainly through fake identities in freelance job portals, and the next stages involve the use of developer tools and npm packages leading to newly uncovered malware families (BeaverTail and Invisible Ferret)," Sikorski further elaborated.
"Operation Dream Job impersonates companies such as Boeing and Lookheed Martin when creating fictitious identities and delivers a file (spear phishing) using storage services and a set of droppers, RATs and tools that are not observed in Contagious Interview."
Earlier this month, Microsoft warned that the infamous Lazarus Group sub-cluster referred to as Sapphire Sleet (aka BlueNoroff) has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns.
This is not the first time North Korean threat actors have abused bogus modules in npm and PyPI. In late June and July 2023, Phylum and GitHub detailed a social engineering campaign that targeted the personal GitHub accounts of employees working in technology firms to disseminate a counterfeit npm package under the guise of collaborating on an open-source project.
The attacks have been attributed to another cluster known as Jade Sleet, which is also called TraderTraitor and UNC4899, and has since been implicated in the JumpCloud hack that took place around the same time.
The discovery of Wagehole echoes a recent advisory from the U.S. government, which disclosed North Korea's subterfuge to beat sanctions by dispatching an army of highly-skilled IT workers who obtain employment in several companies globally and funnel back their wages to fund the country's weapons programs.
"Some resumes include links to a LinkedIn profile and links to GitHub content," the cybersecurity company said.
"These GitHub accounts appear well maintained and have a lengthy activity history. These accounts indicate frequent code updates and socialization with other developers. As a result, these GitHub accounts are nearly indistinguishable from legitimate accounts."
"We would create 20 to 50 fake profiles a year until we were hired," a North Korean IT worker who recently defected was quoted as saying to Reuters, which also shared details of the Wagemole campaign.
The development comes as North Korea claimed that it has successfully put a military spy satellite into space, after two unsuccessful attempts in May and August of this year.
It also follows a new attack campaign orchestrated by the North Korea-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.
"Software developers are often the weakest link for supply chain attacks, and fraudulent job offers are an ongoing concern, so we expect continued activity from Contagious Interview," Unit 42 said. "Furthermore, Wagemole represents an opportunity to embed insiders in targeted companies."
(The story was updated after publication to include additional commentary from Palo Alto Networks Unit 42 on the Contagious Interview campaign.)