Job Centric Themes Fueling Two North Korean Campaigns

Two distinct cyber campaigns associated with North Korean state-sponsored threat actors were unearthed by researchers from Unit 42. The two campaigns leverage job and employment-centric themes. The first campaign, dubbed "Contagious Interview," employs a sophisticated ruse wherein threat actors pose as employers, targeting software developers seeking employment opportunities. Unit 42 warns software developers are targeted in the Contagious Interview campaign given they're "often the weakest link for supply chain attacks." By simulating job interviews and leveraging collaboration hubs like GitHub, the threat actors lure victims into downloading malicious packages that subsequently infect their systems.

Two newly observed malware tracked as BeaverTail and InvisibleFerret help to facilitate cryptocurrency theft with functionality to support keylogging and credential thefts from browsers. AnyDesk is also reported to be dropped in the intrusion from the malware to further their attack. "Based on some of the file names of malware associated with this campaign, we believe this threat actor might also impersonate legitimate AI, cryptocurrency and NFT-related companies or recruitment agencies," Unit 42 reports. From observing the Contagious Interview campaign, Unit 42 attributes the activity to a North Korean state-sponsored threat actor with moderate confidence.

The second campaign, named "Wagemole," involves threat actors seeking unauthorized employment with organizations globally, especially in the US. The campaign, identified with high confidence as North Korean state-sponsored, aims at financial gains and potential espionage. By creating fraudulent identities and leveraging exposed files on GitHub, the threat actors target a wide array of US companies. The threat actors circumvent jobs requiring onsite presence by claiming they're supporting their families overseas with ailments such as COVID but are capable of immediately starting their job remotely.

Aligned with this campaign is an October report from the US Department of Justice and FBI that North Korea exploits remote workers to fund its weapons programs, indicating a dual objective of financial gain and potential support for illicit activities.