North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
Key Points
- North Korean threat actors are creating fake crypto firms and using job interview lures to spread malware.
- Front Companies Involved:
- BlockNovas LLC
- Angeloper Agency
- SoftGlide LLC
Malware Distribution
- Malware Families Used:
- BeaverTail
- InvisibleFerret
- OtterCookie
- Methods:
- Fake hiring processes using job interviews
- Video assessments with coding assignments or browser fixes
Techniques and Tools
- Online Platforms Used:
- Facebook, LinkedIn, Pinterest, Medium, GitHub, GitLab
- Additional Malware Details:
- BeaverTail contacts external servers for command and control
- InvisibleFerret establishes persistence on multiple operating systems
- OtterCookie deployed via JavaScript payload
Infrastructure and Operations
- Status Dashboard on BlockNovas’ subdomains
- Hashtopolis for password cracking hosted on mail.blocknovas.com
- Kryptoneer tool for crypto wallet connections on attisscmo.com
Additional Insights
- Fake Employee Profiles created using AI-powered tools
- IP Ranges Used:
- Russian IP ranges obscured by VPN, proxy, RDP layers
- Companies in Khasan and Khabarovsk linked to operations
- Wagemole Tactic: Using AI-created personas to get IT workers hired remotely
Consequences and Responses
- BlockNovas domain seized by the FBI
- Use of Astrill VPN and residential proxies to hide activities
- GenAI tools used for optimizing job applications and interviews
Geographic Scope
Implications
- Financial Motive: Stealing sensitive data, financial gains by funneling salaries to DPRK
- Infrastructure Sharing: Possible collaboration between North Korean and Russian entities
Conclusion
- The operation is a sophisticated blend of social engineering, malware distribution, and anonymization techniques, showcasing North Korea’s evolving cyber capabilities.
For more information and updates, follow on Twitter and LinkedIn.