North Korean threat actors are posing as both job recruiters and job seekers on the Web, deceiving companies and applicants for financial gain and, possibly, to gain access into Western organizations.
Palo Alto Networks’ Unit 42 this week published the details of two such ongoing campaigns it tracks as “Contagious Interview” and “Wagemole.”
For Contagious Interview, threat actors from the Democratic People’s Republic of Korea (DPRK) are acting as employers, posting about fake job openings, and engaging with unwitting applicants. Then, during the vetting process, they lure the applicants into installing sophisticated, cross-platform infostealers.
In Wagemole, the baddies switch roles, donning fake personas to apply for jobs at established organizations based in the US and elsewhere.
As Michael Sikorski, chief technology officer and vice president of Unit 42, explains, these elaborate ruses produce much more believable social engineering than your typical phishing email.
“People are bombarded with emails all day long — most of those get dumped in the trash bin, or even get flagged as spam. So this is an effort to pivot away and make it seem a lot more realistic,” he says.
Deceiving Job Seekers
The DPRK has long been a source of creative espionage and financial cybercrime. Besides traditional cyber theft — for which it is prolific — the army of Kim Jong Un, leader of the country, has also ventured off the beaten path, into domains and with tactics largely unseen elsewhere in the world.
For example, its state-sponsored hackers have posed as recruiters for high-tech jobs, luring developers into sometimes weeks- or monthslong engagements with malware waiting at the end of it. One such case last year led to the heist of Axie Infinity, a popular Web3 pay-to-play game, totaling north of half a billion dollars.
Ever since, it seems, the hackers have been trying to repeat that success.
Since at least March, the threat actor behind Contagious Interview has posted vague job openings for software developers or jobs specifically tailored to the AI and Web3 fields. After making initial contact via social media, online forums, or other means, the group invites applicants to an online interview.
InvisibleFerret is a Python-based backdoor capable of fingerprinting, keylogging, credential harvesting, data exfiltration, remote control, and, if need be, downloading the AnyDesk RMM for further control over a compromised computer.
Per the recent trend among capable APTs, both Beavertail and InvisibleFerret work across operating systems: Windows, Linux, and macOS.
Interestingly, stealing money and spying on the target may not actually be the primary purpose of either malware. “By getting them to install malware, [the attackers] then have a foothold on that system. Now, if that person goes and works somewhere else in the future — they probably will get a real job somewhere else — then all of a sudden that could lead to an infection into that company’s supply chain,” Sikorski suggests.
North Koreans have also for years posed as applicants seeking remote work in the tech space. Through a maze of fake resumes, email, social media, websites, and so on, real applicants using fake personas earn work and then funnel their earnings back to the Kim regime.
While investigating the GitHub infrastructure behind Contagious Interview, the researchers came across evidence of these schemes: longstanding, detailed accounts on GitHub, LinkedIn, freelancer marketplaces, scripts for phone interviews, stolen US permanent resident cards, and more.
It’s unclear how many of these ersatz IT workers have developed real, long-standing relationships with companies. But just last month the US Department of Justice noted that “this scheme is so prevalent that companies must be vigilant to verify whom they’re hiring.”
Companies that hire employees under fake identities don’t just face a risk of embarrassment, Sikorski warns. “Just think of the tremendous amount of risk it is to have a state-sponsored actor inside your environment,” he says. “And remember: these are software developers, which means they have access to source code.”