Freelance software developers are currently being targeted in an ongoing campaign using job interview-themed lures to distribute cross-platform malware families known as BeaverTail and InvisibleFerret.
Attributed to North Korea, this campaign, codenamed DeceptiveDevelopment, overlaps with various other clusters such as Contagious Interview, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. The operation has been active since late 2023.
According to a report by cybersecurity company ESET, DeceptiveDevelopment employs spear-phishing tactics on job-hunting and freelancing websites to steal cryptocurrency wallets and login credentials from browsers and password managers.
ESET has confirmed the connection between DeceptiveDevelopment and Contagious Interview as a new Lazarus Group initiative focused on cryptocurrency theft.
The attack chains involve fake recruiter profiles on social media reaching out to potential victims with trojanized codebases hosted on platforms like GitHub, GitLab, or Bitbucket under the guise of job interviews.
Subsequent iterations of the campaign have expanded to other job-hunting platforms like Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List, with tasks typically involving crypto-related projects.
Malicious projects are disguised as cryptocurrency initiatives, games with blockchain elements, or gambling apps with crypto features, often embedding malicious code within benign components.
Victims are instructed to build and execute the projects to test them, leading to the initial compromise. Malware-laced video conferencing platforms like MiroTalk or FreeConference are also used to trick victims.
BeaverTail and InvisibleFerret are the two main malware variants, with InvisibleFerret being a modular Python malware with components for information collection, backdooring, and data theft from browsers.
ESET reports that the primary targets of the campaign are software developers in cryptocurrency and decentralized finance projects worldwide, with concentrations in various countries including Finland, India, Italy, and the U.S.
The attackers show a disregard for stealth, evident in poor coding practices, and a focus on compromising as many victims as possible to extract funds and information.
The use of job interview decoys is a common tactic among North Korean hacking groups, with evidence suggesting involvement in fraudulent IT worker schemes to fund regime priorities.
Overall, the DeceptiveDevelopment cluster adds to the array of money-making schemes employed by North Korea-aligned actors, showcasing a shift towards cryptocurrencies and more advanced malware and techniques.
For more exclusive content, follow us on Twitter and LinkedIn.
