Ethical Hacking News
North Korean hackers are targeting freelance software developers through a job scam, using spear-phishing tactics and malware families known as BeaverTail and InvisibleFerret to steal cryptocurrency wallets and login information. The campaign, codenamed DeceptiveDevelopment, has been ongoing since at least late 2023. Freelance developers who work on cryptocurrency-related projects are the primary targets of this campaign.
North Korean hackers have been targeting freelance software developers through a job scam, using spear-phishing tactics and malware. The attackers aim to steal cryptocurrency wallets and login information from browsers and password managers. The DeceptiveDevelopment campaign involves fake recruiter profiles on social media and trojanized codebases hosted on GitHub, GitLab, or Bitbucket. Victims are instructed to build and execute the project to test it, providing their account ID or email address to access private repositories. A second method uses tricking victims into installing a malware-laced video conferencing platform like MiroTalk or FreeConference. The malware families BeaverTail and InvisibleFerret have information-stealing capabilities and are used in conjunction with each other. BeaverTail serves as a downloader for InvisibleFerret, while InvisibleFerret retrieves and executes three additional components. The primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects worldwide. The attackers do not distinguish between geographical locations and aim to compromise as many victims as possible. The use of job interview decoys is a classic strategy adopted by various North Korean hacking groups, including Operation Dream Job. The DeceptiveDevelopment cluster conforms to an ongoing trend of shifting focus from traditional money-making schemes to cryptocurrencies.
North Korean hackers have been targeting freelance software developers through a job scam, leveraging spear-phishing tactics and malware families known as BeaverTail and InvisibleFerret. The campaign, codenamed DeceptiveDevelopment, has been ongoing since at least late 2023, with the attackers aiming to steal cryptocurrency wallets and login information from browsers and password managers.
According to cybersecurity company ESET, the DeceptiveDevelopment campaign involves fake recruiter profiles on social media, which are used to reach out to prospective targets and share trojanized codebases hosted on GitHub, GitLab, or Bitbucket. The codebases deploy backdoors under the pretext of a job interview process, with the attackers instructing victims to fix bugs or add new features to cryptocurrency-related projects.
Subsequent iterations of the campaign have branched out to other job-hunting platforms, including Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List. The bogus projects masquerade as cryptocurrency initiatives, games with blockchain functionality, and gambling apps with cryptocurrency features. More often than not, the malicious code is embedded within a benign component in the form of a single line.
Security researcher Matěj Havránek explained that the initial compromise happens when victims are instructed to build and execute the project to test it. The repositories used are usually private, so the victim is asked to provide their account ID or email address to be granted access to them. This is likely done to conceal the malicious activity from researchers.
A second method used for achieving initial compromise involves tricking victims into installing a malware-laced video conferencing platform like MiroTalk or FreeConference. Both BeaverTail and InvisibleFerret come with information-stealing capabilities, with BeaverTail serving as a downloader for InvisibleFerret. BeaverTail also comes in two flavors: a JavaScript variant that can be placed within the trojanized projects, and a native version built using the Qt platform disguised as conferencing software.
InvisibleFerret is a modular Python malware that retrieves and executes three additional components - pay, bow, and adc. Pay collects information and acts as a backdoor capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files and data from mounted drives, install the AnyDesk and browser module, and gather information from browser extensions and password managers.
Bow is responsible for stealing login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edge. Adc functions as a persistence mechanism by installing the AnyDesk remote desktop software.
ESET said that the primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine, and the U.S. The attackers do not distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.
The use of job interview decoys is a classic strategy adopted by various North Korean hacking groups, including the long-running campaign dubbed Operation Dream Job. Furthermore, there is evidence to suggest that the threat actors are also involved in the fraudulent IT worker scheme, where North Korean nationals apply for overseas jobs under false identities to draw regular salaries as a way to fund the regime's priorities.
ESET noted that the DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies. The attackers' poor coding practices, such as failing to remove development notes or using local IP addresses for development and testing, indicate that they are not concerned about stealth.
The threat actors' tactics and techniques have evolved over time, with the use of more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware. This campaign highlights the need for cybersecurity awareness and education among freelance software developers and other individuals working on cryptocurrency-related projects.
Related Information:
https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html
https://en.wikipedia.org/wiki/Lazarus_Group
https://www.wired.com/story/north-korean-hacker-group-apt37/
Published: Thu Feb 20 12:13:20 2025 by llama3.2 3B Q4_K_M
