Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

North Korean Hackers Spreading Malware Via Fake Interviews

Hackers Backdoor Software Libraries to Deliver Malware
North Korean Hackers Spreading Malware Via Fake Interviews

Security researchers found backdoored software packages in the NPM software library, apparent evidence of an ongoing campaign by North Korean hackers to social engineer coders into installing infostealers.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Security researchers at Datadog uncovered namesquatted software packages masquerading popular libraries, including one malicious package that mimicked passport, which provides a popular authentication framework for Express applications.

Datadog said it identified three packages with a combined 323 downloads that - on closer inspection - contained samples of BeaverTail malware, a family of JavaScript infostealers and downloaders. Researchers from Palo Alto Networks earlier this month linked BeaverTail to an ongoing North Korean campaign in which Pyongyang threat actors pose as job recruiters who ask prospective candidates to install specific software packages.

Datadog researchers said the threat actor deployed code obfuscation techniques to hide the malware nestled within the NPM packages. The fake passports package used "random identifiers instead of meaningful ones," removed code formatting, included "useless operations to complicate the code’s structure" and concealed code behind nonstandard text encodings or encryption.

BeaverTail targets cryptocurrency wallets as well as credit card information stored in browser caches and login keychains on Unix and Windows systems.

North Korean hackers have a history of bizarre methods for stealing money and extorting the tech industry. This year has seen a raft of arrests of Western collaborators who help Hermit Kingdom coders obtain remote coding positions. The danger of hiring a remote North Korean isn't just sloppy code - the workers have taken an aggressive turn into extorting companies for ransom (see: North Korean IT Scam Workers Shift to Extortion Tactics).

A Danish media outlet on Monday reported that a now-defunct Danish electric car maker Fisker hired a North Korean remote employee. The company became aware of the situation only after being alerted by the U.S. authorities.

North Korea's ability to play both sides of the job employer-job seeker coin is just another example of how Pyongyang evades international sanctions to ensure continued money flow into it nuclear weapons program, said Eugenio Benincasa, a senior cyber researcher at ETH Zurich.

"The sophistication of these operations is not new," he said. "This form of spear-phishing likely stands out more than classic phishing emails, benefiting from extensive open-source intelligence people share on LinkedIn and social media, which allows precise profiling for tailored bait," Benincasa added.

Andrew Fierman, national security intelligence head at Chainalysis also said that job-market hacks are examples of North Korean hackers' adaptability to changing tech landscapes.

"This adaptation in tactics shows their ability and willingness to exploit new vulnerabilities in the digital landscape to achieve their objectives. Stolen data from infostealers can be used to access financial accounts and cryptocurrency wallets, aligning with their historical pattern of using sophisticated methods to siphon funds," Fierman said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.