An ongoing promotion targets freelance software developers by using task interview-themed connels to distribute cross-platform malware families called BeaverTail and InvisibleFerret.
The activity, linked to North Korea, has been codenamed DeceptiveDevelopment, which overlaps with clusters tracked under the names (aka ), DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. The plan has been running since at least the end of 2023.
In a statement released to The Hacker News, cybersecurity firm ESET stated that” DeceptiveDevelopment targets freelance software developers” by spear-phishing on job-hunting and freelance website. Its goal is to steal cryptocurrency wallets and login information from computers and password professionals.
In November of this year, ESET revealed to The Hacker News that there are similarities between Contagious Interview and DeceptiveDevelopment, describing it as a new exercise that aims to steal cryptocurrency.
The attack chains are illustrated by the use of fake recruiter profiles on social media to reach out to potential clients and share with them trojanized codebases hosted on Git Hub, GitLab, or Bitbucket that use backdoors under the pretext of a job interview process.
Subsequent versions of the plan have branched out to other job-hunting programs like Upwork, Freelancer.com, We Work Mildly, Moonlight, and Crypto Jobs List. As previously outlined, these hiring difficulties normally entail fixing flaws or adding new features to the crypto-related job.
Other than coding tests, the false projects masquerade as crypto initiatives, games with blockchain features, and gaming apps with crypto features. The malicious code is typically encapsulated in a mild part in the form of a single collection.
” Also, they are instructed to create and implement the project in order to test it, which is where the initial settlement happens”, security researcher Matěj Havránek said. The vic-m is first asked to provide their account ID or email address to be granted access to them, which is most likely to conceal the nefarious activity from researchers because the repositories used are typically secret.
A second technique for achieving first bargain involves deceiving their victims into installing a video conferencing service like or that has been loaded with malware.
While both BeaverTail and InvisibleFerret come with information-stealing features, the former serves as a download for the latter. BeaverTail likewise comes in two flavors: a local Qt platform-based version that can be used with a JavaScript software and a JavaScript-based version that can be used with a conference program.
A flexible Python malware called InvisibleFerret retrieves and executes three more components-
- pay, which collects information and acts as a secret that’s capable of accepting distant commands from an attacker-controlled site to register keystrokes, get clipboard content, run shell commands, exfiltrate files and data from mounted drives, as well as fit the AnyDesk and browser module, and gather information from browser extensions and password managers
- bow, which is responsible for stealing login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edge
- By installing AnyDesk remote desktop software, the AnyDesk remote desktop software uses adc, which serves as a persistence mechanism.
ESET said the primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine, and the U. S.
The attackers “do not distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully obtaining funds and information.”
This is also demonstrated by the operators ‘ apparent poor coding practices, which range from a failure to change local IP addresses used for development and testing to a lack of concern for stealth in the intrusion set.
The use of job interview decoys is a well-known tactic used by various North Korean hacking organizations, the most well-known of which is a well-known campaign titled .
Additionally, there is proof that the threat actors are also involved in the fraudulent , which allows North Korean nationals to apply for jobs abroad while working in disguise in order to pay regular salaries to support the regime’s priorities.
The DeceptiveDevelopment cluster is an addition to an already sizable collection of money-making schemes used by actors aligned with North Korea, and it goes against an ongoing trend of shifting the focus from traditional to cryptocurrencies, according to ESET.
” During our research, we observed it change from simple tools and methods to more sophisticated and capable malware, as well as more refined methods to entice vic-ms and use the malware,” said one researcher.