Two updated malware strains used in North Korean fake recruiter scams

North Korean hackers posing as job recruiters are using updated strains of malware to steal victim information and cryptocurrency.

In a report published Wednesday, Palo Alto Networks’ Unit 42 highlighted a scam they previously uncovered in November 2023 where threat actors associated with the Democratic People’s Republic of Korea (DPRK) pretend to be fake recruiters in an effort to get victims to download the BeaverTail malware and the InvisibleFerret backdoor.

“The threat actor behind [the campaign] contacts software developers through job search platforms by posing as a prospective employer. The attackers invite the victim to participate in an online interview, where the threat actor attempts to convince the victim to download and install malware,” the researchers said. 

The BeaverTail malware, which is the first one delivered in the campaign, works on both macOS and Windows platforms. The hackers deliver it through files made to look like MiroTalk, a real-time video call application, and FreeConference, a service that offers conference calling.

Since July, Unit 42 saw new versions of BeaverTail that collect and exfiltrate data without victims knowing. It steals browser passwords and now steals credentials for a number of cryptocurrency wallets — something researchers said is “consistent with the ongoing financial interests of North Korean threat actors.”

The new version of BeaverTail “targets 13 different cryptocurrency wallet browser extensions, compared to only nine wallets previously targeted by the JavaScript variant.” 

Unit 42 found evidence on social media sites like X and Reddit showing that several other people had seen the same type of activity. 

The second type of malware, InvisibleFerret, is a backdoor that logs keystrokes, exfiltrates sensitive files and downloads the AnyDesk tool that allows hackers to take remote control of a device. It also steals browser credentials and credit card information.

“By examining the latest InvisibleFerret versions deployed in this campaign during the past year, we saw slight code changes implemented over time. While its general functionality remains nearly identical, these changes suggest that the malware authors are actively working on the malware’s code in between the waves of their attacks,” they said.

The scheme is part of dozens of campaigns run out of North Korea either trying to get threat actors hired at companies or attempting to compromise devices at top tech firms. 

The North Korean actors in this campaign typically targeted people on LinkedIn, and Unit 42 noted that the goal may also be to maintain access to job applicants after they are hired at other companies. 

The researchers warned of what the actors could do if they were able to install the malware on company-owned devices. 

Cyber researchers and government agencies have put a renewed focus on North Korean cyber activity in recent months as the company has stepped up its attacks — most of which are designed to fund their ballistics missile program by any means necessary.