North Korean-linked threat actors have been identified targeting tech industry job seekers with updated versions of familiar malware families known as BeaverTail and InvisibleFerret.
This threat activity, designated as CL-STA-0240, is part of a broader operation named “Contagious Interview,” initially revealed by Palo Alto Networks’ Unit 42 in November 2023.
According to a new report from Unit 42, “The actor behind CL-STA-0240 approaches software developers via job search platforms, impersonating potential employers to initiate contact.”
“The attackers lure the victim into an online interview, during which they persuade the target to download and install malicious software.”
The initial infection phase utilizes BeaverTail, a downloader and info-stealing malware capable of targeting both Windows and Apple macOS platforms. This malware serves as a delivery mechanism for the Python-based InvisibleFerret backdoor.
Evidence suggests that the operation remains ongoing despite public exposure, indicating that the threat actors are still successfully compromising developers by tricking them into executing harmful code disguised as a legitimate coding assignment.
In two recent analyses, security researcher Patrick Wardle and cybersecurity firm Group-IB outlined an attack chain that exploited fake video conferencing applications for Windows and macOS, posing as MiroTalk and FreeConference.com, to compromise developer systems with BeaverTail and InvisibleFerret malware.
A key aspect of the attack is the use of the Qt framework, which allows cross-compilation for both Windows and macOS. The Qt-based version of BeaverTail is particularly dangerous, as it’s equipped to steal browser passwords and extract data from several cryptocurrency wallets.
BeaverTail not only exfiltrates stolen data to a server controlled by the attackers but is also designed to download and run the InvisibleFerret backdoor, which consists of two distinct components:
A main payload that facilitates host fingerprinting, remote control, keylogging, data exfiltration, and the installation of AnyDesk.
A browser stealer that gathers browser credentials as well as credit card details.
“North Korean threat actors are known to engage in financial crimes to fund the DPRK regime,” Unit 42 stated. “This campaign could have financial motives, as the BeaverTail malware is capable of stealing from 13 different cryptocurrency wallets.”