North Korean threat actors have used a fake Windows video conferencing application posing as FreeConference.com to shut down developers’ systems as part of an ongoing funding campaign called Contagious Interview.
A new wave of attack, spotted by Singapore-based Group-IB in mid-August 2024 is further evidence that this activity is also using proprietary installers for Windows and Apple macOS to deliver malware.
Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the alias Famous Chollima.
The attack chains begin with a mock interview that forces job seekers to download and run a Node.js project that contains the BeaverTail bootloader malware, which in turn provides a cross-platform Python backdoor known as InvisibleFerret, which equipped with remote control, keylogging and browser hijacking capabilities.
Some iterations of BeaverTail, which also functions as an information stealer, manifest as JavaScript malware, usually distributed via fake npm packages as part of the intended technical assessment in the interview process.
But that changed in July 2024, when Windows MSI installer files and Apple macOS disk image (DMG) files were found in the wild, posing as legitimate MiroTalk video conferencing software and acting as a conduit to deploy an updated version of BeaverTail.
Recent findings by Group-IB, which attributed the campaign to the infamous Lazarus Group, suggest that the threat actor continues to rely on this specific distribution mechanism, with the only difference being that the installer (“FCCCall.msi”) mimics FreeConference.com instead of MiroTalk .
The fake installer is believed to be downloaded from a website called freeconference(.)io, which uses the same registrar as the fake mirotalk(.)net site.
“In addition to Linkedin, Lazarus also actively searches for potential victims on other job search platforms such as WWR, Moonlight, Upwork and others,” said security researcher Sharmin Lowe.
“After the first contact, they often try to shift the conversation on Telegram, where they would then ask potential interviewees to download a video conferencing app or a Node.js project to complete a technical task as part of the interview process.”
In a sign that the company is actively improving, threat actors have been seen injecting malicious JavaScript into both cryptocurrency vaults and game repositories. The JavaScript code, on the other hand, is designed to retrieve the BeaverTail Javascript code from the ipcheck(.)cloud or regioncheck(.)net domain.
It is worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package called valid helmetsuggesting that threat actors are simultaneously using different propagation vectors.
Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to set escrow using AnyDesk.
That’s not all. BeaverTail’s information-stealing features are now implemented using a set of Python scripts collectively called CivetQ, which are capable of collecting cookies, web browser data, keystrokes, and clipboard contents, as well as delivering additional scripts. A total of 74 browser extensions are affected by malware.
“The malware is able to steal data from Microsoft Sticky Notes by targeting the application’s SQLite database files located at `%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite`, where the user’s notes are stored in an unencrypted format,” Low said. .
“By querying and extracting data from this database, the malware can obtain and steal sensitive information from the victim’s Sticky Notes application.”
The appearance of CivetQ indicates a modular approach and also highlights that the tools are under active development and have been constantly evolving in small increments over the past few months.
“Lazarus has updated their tactics, improved their tools and found better ways to hide their activities,” Lowe said. “They show no signs of letting up, and their campaign to target job seekers continues into 2024 and into the present day. Their attacks are becoming more creative and they are now expanding their reach to more platforms.”
The disclosure comes as the US Federal Bureau of Investigation (FBI) warned of aggressive actions by North Korean cyber actors against the cryptocurrency industry using “well-disguised” social engineering attacks to facilitate cryptocurrency theft.
“North Korea’s social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” FBI. said The advisory issued Tuesday said threat actors scout potential victims by looking at their social media activity on professional networks or employment-related platforms.
“North Korean hacker teams in cyberspace are identifying specific DeFi or cryptocurrency-related businesses to target and are attempting to socially push dozens of employees at those companies to gain unauthorized access to the company’s network.”