North Korean risk actors have leveraged a pretend Home windows video conferencing utility impersonating FreeConference.com to backdoor developer methods as a part of an ongoing financially-driven marketing campaign dubbed Contagious Interview.
The brand new assault wave, noticed by Singaporean firm Group-IB in mid-August 2024, is one more indication that the exercise can be leveraging native installers for Home windows and Apple macOS to ship malware.
Contagious Interview, additionally tracked as DEV#POPPER, is a malicious marketing campaign orchestrated by a North Korean risk actor tracked by CrowdStrike underneath the moniker Well-known Chollima.
The assault chains start with a fictitious job interview, tricking job seekers into downloading and operating a Node.js challenge that incorporates the BeaverTail downloader malware, which in flip delivers a cross-platform Python backdoor generally known as InvisibleFerret, which is provided with distant management, keylogging, and browser stealing capabilities.
Some iterations of BeaverTail, which additionally features as an info stealer, have manifested within the type of JavaScript malware, usually distributed through bogus npm packages as a part of a purported technical evaluation in the course of the interview course of.
However that modified in July 2024 when the Home windows MSI installer and Apple macOS disk picture (DMG) recordsdata masquerading because the professional MiroTalk video conferencing software program had been found within the wild, appearing as a conduit to deploy an up to date model of BeaverTail.
The newest findings from Group-IB, which has attributed the marketing campaign to the notorious Lazarus Group, counsel that the risk actor is constant to lean on this particular distribution mechanism, the one distinction being that the installer (“FCCCall.msi”) mimics FreeConference.com as a substitute of MiroTalk.
It is believed that the phony installer is downloaded from a web site named freeconference[.]io, which makes use of the identical registrar as the fictional mirotalk[.]internet web site.
“In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others,” safety researcher Sharmine Low stated.
“After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process.”
In an indication that the marketing campaign is present process energetic refinement, the risk actors have been noticed injecting the malicious JavaScript into each cryptocurrency- and gaming-related repositories. The JavaScript code, for its half, is designed to retrieve the BeaverTail Javascript code from the area ipcheck[.]cloud or regioncheck[.]internet.
It is price mentioning right here that this habits was additionally just lately highlighted by software program provide chain safety agency Phylum in reference to an npm package deal named helmet-validate, suggesting that the risk actors are concurrently making use of various propagation vectors.
One other notable change is that BeaverTail is now configured to extract information from extra cryptocurrency pockets extensions akin to Kaikas, Rabby, Argent X, and Exodus Web3, along with implementing performance to ascertain persistence utilizing AnyDesk.
That is not all. BeaverTail’s information-stealing options are actually realized by way of a set of Python scripts, collectively known as CivetQ, which is able to harvesting cookies, net browser information, keystrokes, and clipboard content material, and delivering extra scripts. A complete of 74 browser extensions are focused by the malware.
“The malware is able to steal data from Microsoft Sticky Notes by targeting the application’s SQLite database files located at `%LocalAppData%PackagesMicrosoft.MicrosoftStickyNotes_8wekyb3d8bbweLocalStateplum.sqlite,` where user notes are stored in an unencrypted format,” Low stated.
“By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim’s Sticky Notes application.”
The emergence of CivetQ factors to a modularized strategy, whereas additionally underscoring that the instruments are underneath energetic improvement and have been always evolving in little increments over the previous few months.
“Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities,” Low stated. “They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms.”
The disclosure comes because the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors’ aggressive focusing on of the cryptocurrency business utilizing “well-disguised” social engineering assaults to facilitate cryptocurrency theft.
“North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” the FBI stated in an advisory launched Tuesday, stating the risk actors scout potential victims by reviewing their social media exercise on skilled networking or employment-related platforms.
“Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies’ employees to gain unauthorized access to the company’s network.”
