Cybercriminals from North Korea are disguising themselves as recruiters and targeting freelancer developers with infostealing malware.
Since last year, hundreds of freelancer workers have been targeted in attacks by North Korean cybercriminals in what ESET researchers call “DeceptiveDevelopement.”
Hackers approach users via job-hunting platforms such as LinkedIn and ask them to do a task with necessary files hosted on GitHub and other similar platforms.
These files are trojanized and will infect devices with BeaverTail and InvisibleFerret malware with the primary objective of stealing cryptocurrency for financial gain and conducting cyber espionage, according to ESET researchers.
Hackers use tricks to hide malicious code
The main target of North Korean hackers are developers involved in cryptocurrency and decentralized finance projects.
ESET attributes this activity to North Korean hackers because of connections between GitHub accounts used in the attacks and accounts containing fake CVs used by North Korean IT workers.
A number of instances have been reported of North Korean hackers applying for jobs in the US and sending their salaries back to their home country to feed the regime and snoop on American businesses.
In their recruiting operations, attackers copy the profiles of existing people. They imitate headhunters and approach victims on freelancing and job-hunting platforms such as LinkedIn, UpWork, and Freelancer.com.
The cybercriminals then send links to a repository like GitHub, GitLab, or Bitbucket instructing victims to build and execute projects to test them, thus delivering malware.
“The attackers often use a clever trick to hide their malicious code: they place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment,” ESET reports.
This way, it is moved off-screen and stays hidden unless the victim scrolls to it or has the word wrap feature of their code editor enabled.
Spyware and backdoor
According to ESET, attackers usually use two malware families and deliver them in two stages.
BeaverTail has both a JavaScript and a native variant and is delivered via either a repository or a conferencing link. The attackers lure victims into clicking the link by inviting them to job interviews using an online conferencing platform.
The malware acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret.
“This is modular Python-based malware that includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities,” ESET researchers claim, detailing malware capabilities in their report.
In September, researchers at ReversingLabs documented similar instances where North Korean hackers targeted Python developers disguised as recruiters.
Your email address will not be published. Required fields are markedmarked