North Korean remote workers landing jobs in the West
Essential information
- Published
- 06/11/2024 11:06
- Modified
- 06/11/2024 11:34
- Tags
- 2024-11-06 beavertail contagious interview cryptocurrency data theft invisibleferret job fraud remote work sanctions evasion social engineering wagemole
- Related entities
- 56 observables, 1 intrusion sets (apt), 12 techniques (mitre), 2 malware, 17 others
Description
North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devices across various operating systems. The campaign steals sensitive data, including source code and cryptocurrency information. WageMole leverages stolen data to create fake identities, using generative AI to acquire and perform jobs. The actors aggressively target developers through social media and job platforms, focusing on web, cryptocurrency, and AI roles. They use sophisticated techniques to bypass background checks and secure legitimate remote positions, particularly in small to mid-sized businesses.
External references
- https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/packed_beavertail_hashes.txt
- https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/c2s.txt
- https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/beavertail_installation_package_hashes.txt
- https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/beavertail_hashes.txt
- https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west
- https://otx.alienvault.com/pulse/672b4dd2c7b9f03eb412d8ff