North Korea-linked threat actors associated with the Contagious Interview campaign have established front companies to distribute malware under the guise of fake job interviews. The three front companies being used in this scheme are BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These companies are purportedly in the cryptocurrency consulting industry and are being used to spread malware through job interview lures.
The malware being distributed includes three known families – BeaverTail, InvisibleFerret, and OtterCookie. The Contagious Interview campaign is just one of several job-themed social engineering tactics employed by North Korea to trick individuals into downloading malware. These attacks have been tracked under various names by the cybersecurity community.
The use of front companies for malware distribution, combined with the creation of fake accounts on popular platforms, marks a new escalation in the tactics used by these threat actors. The malware deployed through these fake job interviews includes a JavaScript stealer/loader (BeaverTail) and a Python backdoor (InvisibleFerret) that can establish persistence on multiple operating systems.
Additionally, BlockNovas has been utilizing video assessments to distribute other malware variants such as FROSTYFERRET and GolangGhost. The malicious infrastructure also includes a “Status Dashboard” to monitor domains associated with the attacks.
Furthermore, the threat actors are hosting a tool called Kryptoneer that connects to cryptocurrency wallets, potentially indicating a focus on targeting the Sui blockchain. The BlockNovas domain has been seized by the FBI for distributing malware through fake job postings.
These threat actors are utilizing AI-powered tools to create fake profiles and are hiding their activities behind VPNs and proxies. The Contagious Interview campaign is just one aspect of their larger operation, which also includes the Wagemole tactic to infiltrate major companies and steal sensitive data for financial gain.
Telemetry data suggests that these threat actors are operating from various countries, including China, Russia, and Pakistan. The use of Russian IP ranges indicates potential cooperation between North Korea and Russian entities in carrying out these cyber attacks.
