Skip links

North Korea makes finding a gig even harder by attacking candidates and employers

Palo Alto Networks’ Unit 42 has detailed a pair of job market hacking schemes linked to state-sponsored actors in North Korea: one in which the threat actors pose as job seekers, the other as would-be employers.

One of the schemes, named Contagious Interview, sees threat actors pose as potential employers to lure software engineers into downloading malware-laden Node Package Manager (NPM) packages from GitHub.

The other, called Wagemole, sees threat actors pretend to be jobseekers as part of a ruse aimed at both financial gain and espionage.

Unit 42 said it had “moderate confidence” that Contagious Interview was run by a North Korea state-sponsored actor and “high confidence” that Wagemole is one of the Hermit Kingdom’s campaigns.

Infrastructure for Contagious Interview started appearing in December 2022. The threat actors pose as recruiters for real and imaginary companies, and advertise on job boards for role sin fields including AI, cryptocurrency, or NFTs.

The scammers then invite targets for online interviews. The fake interviewer asks the applicant to download a GitHub package, presumably so the candidate can review or analyze the content. And voilà, info-stealers are installed on software engineers’ systems perhaps allowing access to whatever they’re working on for their current employer, or just personal information.

The researchers discovered two previously unknown malware families used by the Contagious Interview crew: a JavaScript-based info-stealer and loader hiding inside NPM packages that Unit 42 named BeaverTail, and a Python-based backdoor the group called InvisibleFerret.

BeaverTail targets basic information plus details of credit cards and crypto wallets stored by browsers. InvisibleFerret can keylog credentials, exfiltrate data, facilitate remote access and even download AnyDesk RMM – a remote management utility.

Contagious Interview was discovered by Unit 42 by perusing customer telemetry. The threat-hunting group reckons the objective is to use compromised targets as staging environments for future attacks and a way to steal cryptocurrency.

While looking at Contagious Interview indicators, Unit 42 ran across a treasure trove of other documents that ended up forming the basis of their understanding of the counterpart social engineering scheme, Wagemole. Those documents included fraudulent CVs, stolen US permanent resident cards, and fake identities from various nations for hackers to don. Wagemole also kept interview tips and scripts and job posting from US companies.

For instance, interviewees are coached on credible stories for why they must continue to work remote, such as fleeing from COVID with plans to relocate back in three months’ time.

LinkedIn profiles and GitHub content had been maintained to create the illusion that the personas existed. Unit 42 said some of the GitHub accounts were “nearly indistinguishable from legitimate accounts.”

Unit 42 refrained from specifying a motive or objective related to Wagemole. However, it did point out that the US Department of Justice and FBI have reported that North Korean tech workers send their wages home, where they are used to fund weapons programs.

The South Korean government issued a similar warning in December of last year. ®