The North Korean threat actors behind Deadly Interview have adopted the increasingly popular social engineering technique to pull job seekers in the cryptocurrency sector to offer a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems.
The new exercise, assessed to be a continuation of the battle, has been codenamed ClickFake Interview by French cybersecurity firm Sekoia. , even tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be effective since at least December 2022, although it was only formally documented for the first time in late 2023.
” It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors”, Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé , attributing the effort to the infamous , a prolific adversary attributed to the Reconnaissance General Bureau (RGB ) of the Democratic People’s Republic of Korea ( DPRK).
A notable aspect of the campaign is that it primarily targets centralized finance entities by impersonating companies like Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, marking a departure from the hacking group’s attacks against decentralized finance ( DeFi ) entities.
Deadly Interview, like , employs false job offers as lures to entice potential targets and fool them into downloading malware that may take cryptocurrency and other sensitive data.
As part of the work, candidates are approached via LinkedIn or X to prepare for a video call interview, for which they are asked to get a malware-laced videoconferencing technology or open-source project that activates the disease process.
Lazarus Group’s use of the ClickFix tactic was first disclosed towards the end of 2024 by security researcher Taylor Monahan, with the attack chains leading to the deployment of a family of malware called that then delivers the Golang backdoor.
In this iteration of the campaign, victims are asked to visit a purported video interviewing service named Willo and complete a video assessment of themselves.
” The entire setup, meticulously designed to build user trust, proceeds smoothly until the user is asked to enable their camera”, Sekoia explained. ” At this point, an error message appears indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique”.
The instructions given to the victim to enable access to the camera or microphone vary depending on the operating system used. On Windows, the targets are prompted to open Command Prompt and execute a curl command to execute a Visual Basic Script (VBS ) file, which then launches a batch script to run GolangGhost.
In the event the victim is visiting the site from a macOS machine, they are similarly asked to launch the Terminal app and run a curl command to run a shell script. The malicious shell script, for its part, runs a second shell script that, in turn, executes a stealer module dubbed FROSTYFERRET (aka ChromeUpdateAlert ) and the backdoor.
FROSTYFERRET displays a fake window stating the Chrome web browser needs access to the user’s camera or microphone, after which it displays a prompt to enter the system password. The entered information, regardless of whether it’s valid or otherwise, is exfiltrated to a Dropbox location, likely indicating an attempt to access the iCloud Keychain using the stolen password.
GolangGhost is engineered to facilitate remote control and data theft through several commands that allow it to upload/download files, send host information, and steal web browser data.
” It was found that all the positions were not related to technical profiles in software development”, Sekia noted. ” They are mainly jobs of manager focusing on business development, asset management, product development or decentralised finance specialists”.
” This is a significant change from previous documented campaigns attributed to DPRK-nexus threat actors and based on fake job interviews, which mainly targeted developers and software engineers”.
North Korea IT Worker Scheme Becomes Active in Europe
The development comes as the Google Threat Intelligence Group ( GTIG ) said it has observed a surge in the in Europe, underscoring a significant expansion of their operations beyond the United States.
The IT worker activity entails North Korean nationals posing as legitimate remote workers to infiltrate companies and generate illicit revenue for Pyongyang in .
of the activity, coupled with the U. S. Justice Department indictments, have instigated a “global expansion of IT worker operations”, Google said, noting it uncovered several fabricated personas seeking employment in various organizations located in Germany and Portugal.
The IT workers have also been observed undertaking various projects in the United Kingdom related to web development, bot development, content management system ( CMS ) development, and blockchain technology, often falsifying their identities and claiming to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam.
This tactic of IT workers posing as Vietnamese, Japanese, and Singaporean nationals was also by managed intelligence firm Nisos early last month, while also pointing out their use of GitHub to carve new personas or recycle portfolio content from older personas to reinforce their new ones.
“IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer”, Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, . ” Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds”.
Besides using local facilitators to help them land jobs, the insider threat operation is witnessing what appears to be a spike in since October 2024, when it became public knowledge that these IT workers are resorting to ransom payments from their employers to prevent them from releasing proprietary data or to provide it to a competitor.
In what appears to be a further evolution of the scheme, the IT workers are now said to be targeting companies that operate a Bring Your Own Device ( BYOD ) policy owing to the fact that such devices are unlikely to have traditional security and logging tools used in enterprise environments.
” Europe needs to wake up fast. Despite being in the crosshairs of IT worker operations, too many perceive this as a US problem. North Korea’s recent shifts likely stem from US operational hurdles, showing IT workers ‘ agility and ability to adapt to changing circumstances”, Collier said.
” A decade of diverse cyberattacks precedes North Korea’s latest surge- from SWIFT targeting and ransomware, to cryptocurrency theft and supply chain compromise. This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations”.