Introduction

A new variant of the BeaverTail malware [2] [6], associated with North Korean threat actors [1], has emerged, specifically targeting software developers through deceptive job interview schemes. This campaign, known as the “Contagious Interview” campaign [6], employs fake recruiters to lure tech job seekers into downloading malicious software disguised as work-related materials.

Description

A new variant of the BeaverTail malware [2] [6], linked to North Korean threat actors [1] [7], has been identified specifically targeting software developers through a scheme involving fake job interviews [4], known as the “Contagious Interview” campaign (tracked as CL-STA-0240) [4]. This operation [1] [3] [4], reported by Palo Alto Networks’ Unit 42 [4] [8], utilizes fake recruiters on job search platforms like LinkedIn and X (formerly Twitter) to deceive tech job seekers into downloading malicious software disguised as work-related materials during online interviews. The latest version of the BeaverTail malware was introduced in July 2024 [6], evolving from its initial report in November 2023, and is compiled using the cross-platform Qt framework [2], enabling deployment on both macOS and Windows systems [2].

This updated version enhances its capabilities by stealing browser passwords on macOS and specifically targeting 13 different cryptocurrency wallet browser extensions, an increase from the previous 9. The targeted extensions include MetaMask, BNB Chain [3], Exodus [3], Phantom [3], TronLink [3], Crypto.com [3], Coin98 [3], Kaikas [3], Rabby [3], and Argent X – Starknet [3]. Attackers employ social engineering tactics to set up online technical interviews [9], during which they persuade potential victims to install these disguised applications. The initial infection stage utilizes the BeaverTail downloader [1] [7], which serves as a conduit for the more dangerous Python-based InvisibleFerret backdoor.

Recent analyses have revealed that the attack chain employs fake video conferencing applications impersonating MiroTalk and FreeConference.com to infiltrate developer systems [1]. Once installed, BeaverTail operates in the background without visible indicators [3], stealing sensitive data [2], including browser passwords and information from cryptocurrency wallets [3] [4]. The malware also features a browser stealer component that collects browser credentials and credit card information, exfiltrating this data to an adversary-controlled server [1] [7]. Following the initial infection [1] [3] [7], the InvisibleFerret backdoor is deployed [5] [6], facilitating keylogging [2], host fingerprinting [1] [7], file exfiltration [2] [3], and the downloading of remote control software like AnyDesk [2].

This campaign poses significant risks [2], including potential infiltration of companies employing the targeted job seekers [2] [3], as successful infections on company-owned devices could lead to the collection and exfiltration of sensitive information [3]. The financial motive behind this campaign is evident [9], as the malware specifically aims to steal cryptocurrency from an increasing number of wallets [9], supporting the notion that North Korean threat actors conduct financial crimes to fund the DPRK regime [7]. The ongoing development of the malware indicates that attackers are actively refining their methods [2], highlighting the persistent threat to job-seeking individuals in the tech industry. Awareness of these advanced social engineering campaigns is crucial for individuals and organizations [3], and protective measures are advised [3].

Conclusion

The “Contagious Interview” campaign underscores the evolving threat landscape faced by software developers and organizations. The financial motivations driving these attacks, particularly the theft of cryptocurrency, highlight the need for heightened vigilance and robust cybersecurity measures. Organizations must educate employees about such social engineering tactics and implement protective strategies to mitigate potential risks. As threat actors continue to refine their methods, staying informed and proactive is essential to safeguarding sensitive information and maintaining cybersecurity resilience.

References

[1] https://vulners.com/thn/THN:9060DE7236DE0898C71155A08C5A1D34
[2] https://www.infosecurity-magazine.com/news/beavertail-malware-job-seekers/
[3] https://www.benzinga.com/content/41253365/from-9-to-13-different-wallets-fake-web3-job-recruiters-update-their-crypto-stealing-malware
[4] https://www.cyclonis.com/north-korean-hackers-use-fake-job-interviews-infect-developers-cross-platform-malware/
[5] https://thenimblenerd.com/article/job-scam-alert-north-korean-recruiters-turn-interviews-into-malware-mayhem/
[6] https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/
[7] https://thehackernews.com/2024/10/n-korean-hackers-use-fake-interviews-to.html
[8] https://www.linkedin.com/posts/wdevault_researchers-uncover-major-security-vulnerabilities-activity-7249806532551344129-si2z
[9] https://itnerd.blog/2024/10/09/north-korean-hackers-target-tech-job-seekers-in-new-malware-campaign/