Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret.
The activity, linked to North Korea, has been codenamed DeceptiveDevelopment, which overlaps with clusters tracked under the names Contagious Interview (aka CL-STA-0240), DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. The campaign has been ongoing since at least late 2023.
“DeceptiveDevelopment targets freelance software developers through spear-phishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers,” cybersecurity company ESET said in a report shared with The Hacker News.
In November 2024, ESET confirmed to The Hacker News the overlaps between DeceptiveDevelopment and Contagious Interview, classifying it as a new Lazarus Group activity that operates with an aim to conduct cryptocurrency theft.
The attack chains are characterized by the use of fake recruiter profiles on social media to reach out to prospective targets and share with them trojanized codebases hosted on GitHub, GitLab, or Bitbucket that deploy backdoors under the pretext of a job interview process.
Subsequent iterations of the campaign have branched out to other job-hunting platforms like Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List. As previously highlighted, these hiring challenges typically entail fixing bugs or adding new features to the crypto-related project.
Other than coding tests, the bogus projects masquerade as cryptocurrency initiatives, games with blockchain functionality, and gambling apps with cryptocurrency features. More often than not, the malicious code is embedded within a benign component in the form of a single line.
“Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens,” security researcher Matěj Havránek said. “The repositories used are usually private, so the vic-m is first asked to provide their account ID or email address to be granted access to them, most likely to conceal the malicious activity from researchers.”
A second method used for achieving initial compromise revolves around tricking their victims into installing a malware-laced video conferencing platform like MiroTalk or FreeConference.
While both BeaverTail and InvisibleFerret come with information-stealing capabilities, the former serves as a downloader for the latter. BeaverTail also comes in two flavors: A JavaScript variant that can be placed within the trojanized projects and a native version built using the Qt platform that’s disguised as conferencing software.
InvisibleFerret is a modular Python malware that retrieves and executes three additional components –
- pay, which collects information and acts as a backdoor that’s capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files and data from mounted drives, as well as install the AnyDesk and browser module, and gather information from browser extensions and password managers
- bow, which is responsible for stealing login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edge
- adc, which functions as a persistence mechanism by installing the AnyDesk remote desktop software
ESET said the primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine, and the U.S.
“The attackers don’t distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.
This is also evidenced in the apparent poor coding practices adopted by the operators, ranging from a failure to remove development notes to local IP addresses used for development and testing, indicating that the intrusion set is not concerned about stealth.
It’s worth noting that the use of job interview decoys is a classic strategy adopted by various North Korean hacking groups, the most prominent of which is a long-running campaign dubbed Operation Dream Job.
Furthermore, there is evidence to suggest that the threat actors are also involved in the fraudulent IT worker scheme, in which North Korean nationals apply for overseas jobs under false identities in order to draw regular salaries as a way to fund the regime’s priorities.
“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” ESET said.
“During our research, we observed it go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in vic-ms and deploy the malware.”
