N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

North Korean hackers are running a sophisticated operation aimed at software developers. This campaign, named “Contagious Interview,” uses fake job offers to trick victims into installing malware.

The attackers pretend to be recruiters and set up phony interviews with unsuspecting job seekers.

The malware used in these attacks comes in two main forms:

  1. BeaverTail – A downloader and information stealer
  2. InvisibleFerret – A backdoor program written in Python

BeaverTail can infect both Windows and Mac computers. It steals data and sets up InvisibleFerret on the victim’s machine.

The newest version of BeaverTail is built with Qt, making it work on multiple types of computers.

InvisibleFerret has two key parts:

  • Main payload: Gathers info about the infected computer, allows remote control, logs keystrokes, steals data, and installs AnyDesk
  • Browser stealer: Takes passwords and credit card details from web browsers

The hackers contact developers through job websites. They invite victims to online interviews and try to get them to run malicious code.

This technique has been successful enough that the attacks continue even after being made public.

These cybercriminals have also used fake video chat apps to spread their malware. They created counterfeit versions of real services like MiroTalk and FreeConference.com.

When victims try to use these fake apps for their “interview,” they end up infected instead.

BeaverTail can now steal passwords from web browsers and take data from 13 different cryptocurrency wallets. This suggests the attackers may be after money.

North Korean hacking groups often try to steal funds to support their government.

Key features of the malware:

Feature BeaverTail InvisibleFerret
Platforms Windows, macOS Cross-platform
Main purpose Initial infection, data theft Remote access, further theft
Special abilities Crypto wallet targeting Keylogging, AnyDesk installation

The attackers’ methods work well for several reasons:

  • Job seekers may be less cautious when communicating with supposed employers
  • The promise of work creates trust and urgency
  • Many people aren’t aware of this kind of threat
  • Cross-platform malware reaches more potential victims

Security experts warn that this campaign shows no signs of slowing down. The hackers keep finding success with their current tactics.

Companies and individuals in the tech industry should stay alert for suspicious job offers and be careful about running any code from unknown sources during a job search.