Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as Beaver Tail & Invisible Ferret.
The activity, linked to N. Korea, has been codenamed Deceptive Development, which overlaps with clusters tracked under the names Contagious Interview (aka CL-STA-0240), DEV#POPPER, Famous Chollima, PurpleBravo, & Tenacious Pungsan. The campaign has been ongoing since at least late 2023.
Spear-Phishing
“Deceptive Development targets freelance software developers through spear-phishing on job-hunting & freelancing sites, aiming to steal cryptocurrency wallets & login information from browsers & password managers,” cyber-security company ESET said in a report.
In Nov. 2024, ESET confirmed the overlaps between Deceptive Development & Contagious Interview, classifying it as a new Lazarus Group activity that operates with an aim to conduct cryptocurrency theft.
Fake Recruiter Profiles
The attack methods are characterised by the use of fake recruiter profiles on social media to reach out to prospective targets & share with them trojanised codebases hosted on GitHub, GitLab, or Bitbucket that deploy backdoors under the pretext of a job interview process.
Later versions of the campaign have expanded to other job-hunting platforms like Upwork, Freelancer.com, We Work Remotely, Moonlight, & Crypto Jobs List. As previously highlighted, these hiring challenges typically entail fixing bugs or adding new features to the crypto-related project.
Bogus Projects
Other than coding tests, the bogus projects pretend to be cryptocurrency initiatives, games with blockchain functionality, & gambling apps with cryptocurrency features. Usually, the malicious code is embedded within a benign component in the form of a single line.
“Additionally, they are instructed to build & execute the project in order to assess it, which is where the initial compromise happens,” security researcher Matěj Havránek said. “The repositories used are usually private, so the victim is 1st asked to provide their account ID or email address to be granted access to them, most likely to conceal the malicious activity from researchers.”
Video Conferencing
A 2nd method used for achieving initial compromise revolves around tricking their victims into installing a malware-laced video conferencing platform like Miro Talk or Free Conference.
While both Beaver Tail & Invisible Ferret come with information-stealing capabilities, the former serves as a downloader for the latter. Beaver Tail also comes in 2 types: A JavaScript variant that can be placed within the trojanised projects & a native version built using the Qt platform that is disguised as conferencing software.
Modular Python Malware
Invisible Ferret is a modular Python malware that retrieves & executes 3 additional components –
- pay, which collects information & acts as a backdoor that is capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files & data from mounted drives, as well as install the Any Desk & browser module, & gather information from browser extensions & password managers.
- bow, which is responsible for stealing login data, autofill data, & payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, & Edge
- adc, which functions as a persistence mechanism by installing the Any Desk remote desktop software.
Cryptocurrency
ESET explained that the primary targets of the campaign are software developers working in cryptocurrency & decentralised finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, S. Africa, Russia, Ukraine, & the US.
“The attackers don’t distinguish based on geographical location & aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds & information.
Poor Coding Practices
This is also evidenced in the apparent poor coding practices used by the operators, ranging from a failure to remove development notes to local IP addresses used for development & testing, indicating that the intrusion is not concerned about stealth.
The use of job interview decoys is a classic strategy adopted by various N. Korean hacking groups, the most prominent of which is a long-running campaign dubbed Operation Dream Job.
Also, there is evidence that suggests that the threat players are also involved in the fraudulent IT worker scheme, in which N. Korean nationals apply for overseas jobs under false identities in order to draw regular salaries as a way to fund the regime.
GitHub Accounts
The overlaps include mutual follows between GitHub accounts controlled by the attackers & those containing fake CVs used by N. Korean IT workers. Some of the GitHub pages in question have since been taken down.
“The Deceptive Development cluster is an addition to an already large collection of money-making schemes employed by N. Korea-aligned players & conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” ESET stated.
“During our research, we observed it go from primitive tools & techniques to more advanced & capable malware, as well as more polished techniques to lure in victims & deploy the malware.”
