North Korean Hackers Use Fake Crypto Firms in Job Malware Scam

Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake job interviews to distribute malware. Protect yourself from these deceptive tactics.

Cybersecurity firm Silent Push has uncovered a clever operation run by a North Korean hacker group, known as Contagious Interview, which has a link to the notorious Lazarus Group.

Reportedly, Contagious Interview has been tricking people looking for jobs in the crypto world through three different fake cryptocurrency companies: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. Their goal? To lure job aspirants into downloading harmful software onto their computers.

According to Silent Push’s investigation, shared exclusively with Hackread.com, these fake companies use job postings on various websites, including well-known platforms like CryptoJobsList, CryptoTask, and Upwork, to attract applicants.

Once someone applies, the hackers send them what looks like legitimate interview-related files. However, these files contain malware. Researchers have observed several types of malware being used in this campaign, including BeaverTail, InvisibleFerret, and OtterCookie.

To make the scam seem real, Contagious Interview uses images created by artificial intelligence (AI) tools for employee profiles. Specifically, they used Remaker AI to generate some of these fake faces. Also, they use real online platforms like GitHub and job websites to appear more trustworthy.

Silent Push’s investigation revealed that Contagious Interview has a history of carrying out complex cyberattacks. In this new scheme, they use fake job offers and these three front companies to spread their malware. Once a victim’s computer is infected, the hackers can potentially access it remotely and steal sensitive data. They even try to hide their online activity using tools like VPNs.

The analysts successfully tracked the malware back to specific websites and internet addresses used by the hackers, including lianxinxiaocom, and even found a hidden online “dashboard” on a BlockNovas subdomain (mailblocknovascom) where the hackers were monitoring their fake websites and other tools. This “significant OPSEC failure” helped them identify the different fake companies and the malware being used.

Further investigation revealed many red flags. For example, the profile picture of a Backend Developer named Mehmet Demir linked to all three fake companies is AI-generated. This person is linked to three fake companies and has a history of suspicious online activity under the alias Bigrocks918. Another user, thegoodearth918, shared the same numerical suffix ‘918,’ used the same email and was linked to SoftGlide.

One user, “hades255,” identified as CTO of BlockNovas Gabriel Lima has an AI-generated photo and suspicious resume. Other employee profiles also show signs of being fake, with AI-generated photos and other inconsistencies in their digital footprints. Even the recruiter for BlockNovas, Alexander Nolan, is using the image of a real person who has no connection to the company.

Analysis of files from the fake job application websites revealed hidden links leading to more malicious software, including FrostyFerret, and an unusual control panel named Kryptoneer, likely targeting the relatively newer crypto technology, Sui blockchain.

Silent Push researchers warn job seekers to be wary of unusual interview processes, requests to run unfamiliar code, and employee profiles that seem too good to be true or use generic-looking photos. These North Korean hackers are using increasingly sophisticated methods to trick unsuspecting individuals, and awareness is the best defence, researchers concluded.