North Korean Group Creates Fake Crypto Firms in Job Complex Scam
Threat intelligence groups for almost two years have been tracking the ongoing Contagious Interview campaign run by a North Korean-backed threat group that uses fake job interviews to lure targets into installing malware onto their systems.
The advanced persistent threat (APT) actors running the complex scam – also is known as Famous Chollima – have been described by some as a subset of the notorious Lazarus Group that is run by the Democratic People’s Republic of Korea (DPRK) or as the the group itself.
Palo Alto Networks’ Unit 42 researchers first wrote about the campaign in November 2023, and since then analysts from Unit 42 and other security firms – including SentinelOne and Group-IB – have tracked the iterations APT group’s campaign, including the malware the attackers bring into the fold.
This week, researchers with cyber intelligence company Silent Push said that the ever-adapting Contagious Interview has a new spin on the scheme, creating three bogus cryptocurrency companies as fronts to run the scheme, again using the promise of fake jobs to convince victims to download malware variants that include BeaverTail, InvisibleFerret, and OtterCookie.
Advertising for Jobs that Don’t Exist
In a report, the Silent Push researchers wrote that the Contagious Interview group created the three crypto companies — BlockNovas LLC, Angeloper Agency, and SoftGlide LLC – and then placed job postings on such legitimate online sites as CryptoJobsList, CryptoTask, Freelance, and Upwork to pull in people looking for work in the crypto industry. The threat group also was reaching into GitHub repositories to find victims.
In addition, Contagious Interview used AI-generated images – some created by using the legitimate Remaker AI editing tool – to create profiles of fake employees for each company.
“Contagious Interview has utilized services like Astrill VPN and residential proxies to obfuscate their infrastructure and activities, making detection more challenging, and our team has observed a new tactic that heavily utilizes AI-generated images,” the researchers wrote.
‘Red Flags’
One of the fake companies, BlockNovas – which Silent Push is the most active of the front companies – supposedly has 14 employees, though many of the personas appear to be AI-created.
“One of the alleged fake personas was even seen performing ‘gig development work,’ although it’s unclear if they abused their access during these gigs,” they wrote, adding that “it is impossible to prove that all the employees are bogus, as some may be working in various support jobs.”
Still, the researchers pointed to “red flags” raised during the research that convinced them that many of the personas were not real.
Once a person applies to a fake job posting, they receive what appears to legitimate files related to the interview but that actually contain the malware, which can be used to steal data or crypto from victims.
Looking at BlockNovas
The Silent Push report delved deep into the BlockNovas operation, noting that the domain was registered in July 2024 using NameCheap with an address in Warrenville, South Carolina, that appears to be on a residential road and company contacts – Mehmet Demir and Ramon Mckenzie – which use the same address and appear to be fake. The bad actors created accounts on sites like LinkedIn, Facebook, and X (formerly Twitter), where they also promoted links to their false job postings.
On the BlockNovas website, the hackers listed staff names of fake personas with the photos of at least two real people with other names and no link to the company.
There were other warnings seen by the researchers, including an AI-generated image for Mehmet Demir that was linked to all three of the fake companies.
Job Application Form
A job application form on BlockNovas included multiple steps leading up to the eventual lure, asking for such information as the target’s location, they type of job they were looking for – such as full time or part time – their ability to speak English, experience, and social media links. Applicants also were asked to include a brief introduction video.
“If the job-seeker, also known as the intended victim, clicked any of the call-to-action buttons, a pop-up would appear with an ‘Access to your camera or microphone is currently blocked’ message along with a ‘ClickFix’ copy-and-paste lure,” the researchers wrote. “If the command prompted by the lure was executed on a Windows, Mac, or Linux device, it would execute the malware.”
BeaverTail is written in JavaScript and used to steal information and malware loader, while InvisibleFerret is spyware and a backdoor. OtterCookie is used to steal information and crypto wallet keys.
North Korean state-sponsored groups are known for running IT worker scams, both luring unsuspecting victims to apply for non-existent jobs – as with Contagious Interview – or having agents pose as legitimate IT workers who take jobs with real companies to steal information or money, which is then funneled back to the country’s rulers to be used to evade global sanctions by funding its myriad weapons programs.
