Threat intelligence researchers report that North Korean Hackers are likely behind two malware campaigns posing as job recruiters and seekers.
The malware campaigns "Contagious Interview" and "Wagemole" executed on the GitHub platform are confirmed by Palo Alto Network's Unit 42 cyber experts.
These cyber threats, whereby malicious actors pose as employers utilize fake job interviews targeting software developers with malware distribution during a bogus interview are linked with "moderate confidence" by cyber experts at Palo Alto Network's Unit 42 to state-sponsored threat actors associated with the Democratic People's Republic of Korea (DPRK).
Component malware "BeaverTail" and "InvisibleFerret" can run on Windows, Linux, and Mac operating systems. These malware provide remote access to the infected device, retrieves and decrypts login data while stealing the victim's login credentials.
It lifts sensitive data, enables remote control, fingerprinting, and keylogging to continually collect keyboard, mouse, and clipboard data, as well as stealing credit card information and cryptocurrency.
Another malware campaign assessed by cyber experts with "high confidence" that its origins are from North Korean threat actors, "Wagemole" malware, focuses on financial gain and espionage by embedding fraudsters into U.S. companies through fraudulent job-seeking activity.
"Wagemole" malware associated with North Korean threat actors includes counterfeit resumes with several technical skill sets and fraudulent identities from various nationalities.
Enabled by Voice over Internet Protocol (VoIP), each phony resume has a different U.S. personal contact phone number. Some sham resumes include links to LinkedIn profiles and GitHub content, copies of I.T. job openings from U.S. companies, a scanned copy of a stolen U.S. Permanent Resident Card, self-introduction scripts for the phony identity, common job interview questions and answers, and more to help threat actors carry out the scam.
Cyber experts noted that information from some documents indicates that associated passwords were made through Korean language typed on U.S. keyboards, and some passwords include words only used in North Korea.
Furthermore, Korean keyboard language settings were found on computers used by threat actors behind these campaigns, linking threat actors to North Korea.
Cyber experts note that these cyberthreats bear striking similarities to a recent U.S. government advisory exposing North Korea's strategy to dispatch skilled I.T. workers for employment globally to fund weapons programs.
In October of 2023, FBI and Department of Justice officials informed the public that thousands of IT workers contracting with U.S. companies have secretly funneled millions of dollars of wages to fund North Korea's ballistic missile program.
It's purported that North Korea's government deployed IT workers to live in China and Russia with the objective of misleading U.S.-based businesses and companies in other nations into hiring them as remote freelancers.
The investigation is ongoing, however, FBI Special Agent in Charge of the St. Louis FBI office, Jay Greenberg, stated that North Korean workers used various techniques to fraudulently give the appearance of working in the U.S.
It is reported that their tactics included paying Americans to use their home Wi-Fi connections.
The FBI and DOJ advisory also aligns with February 2023 reports where United Nations experts stated that state-sponsored North Korean hackers used high-level techniques to infiltrate digital networks involved in cyber finance, stealing information useful in North Korea's nuclear and ballistic missile programs from governments, individuals, and companies.
U.N. experts on the matter stated that hackers sponsored by the North Korean government stole virtual funds with an estimated valuation between $630 million to more than $1 billion in 2022.
In the current "Wagemole" malware campaign, fraudulent job seekers maintained multiple accounts for email, freelance websites, source code repositories, and job agency platforms to win job bids while hiding their true identities.
The fraudulent GitHub accounts are nearly indistinguishable from legitimate accounts due to lengthy activity history, frequent code updates, and socialization with other developers.
While IT positions have been apparent targets of these latest malware campaigns, cyber experts warn that documents are not limited to remote IT jobs at U.S.-based companies. Some documents indicate that this threat actor also seeks freelance jobs in multiple marketplaces, targeting a broader scale of global markets.
Tips for Job Seekers:
• Confirm the legitimacy of companies
• Confirm that interviewers actually work for the companies they claim to represent
• Be wary of downloading and installing unusual types of software packages as a prerequisite for interviews
Tips for Employers:
• Thoroughly vet all job applicants
Additionally, use caution with candidates who apply for on-site jobs, state they are currently out of the area, yet offer immediate availability for remote work. Use video teleconferencing to interview if in-person interviews are not an option
If you think you are not a target and this is someone else's problem, think again.
Every American represents a point of entry to a U.S. company, system, software, or our government as a whole. Remain alert. One watchful eye can forge a worthwhile defense in our chain of national security.
© 2024 Newsmax. All rights reserved.