North Korean hackers are posing as job interviewers - don't be fooled

Anonymous Hacker
(Image credit: TheDigitalArtist / Pixabay)

If you’re hiring, or looking to get hired for a new job - be very careful who you talk to. Cybersecurity researchers from Palo Alto’s Unit 42 have discovered two separate malware campaigns - one targeting employers, and the other job hunters - run by North Korean state-sponsored threat actors. 

Dubbed “Contagious Interview", the campaign sees hackers impersonate employers, creating fake profiles on various social media networks and try to get software developers interested in a new job opportunity. 

During the interview process (which often includes multiple steps, possibly even video interviews), the hackers would get the victims to download and run files which end up infecting their endpoints with malware.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

New malware

This campaign most likely started in December last year, and given that parts of the infrastructure are still active, the campaign is still very much a threat. 

Its goal, according to the report, is to steal cryptocurrencies from the victims, and later use their endpoints as a stepping stone for additional attacks.

The campaign in which hackers seek employment is dubbed “Wagemole”. The threat actors are mostly going for US-based firms, Unit 42 says, but they won’t pass up on an opportunity anywhere else in the world. During the process, the attackers create multiple resumes with different technical skill sets, as well as multiple identities impersonating individuals from different parts of the world. It also includes common job interview questions and answers, scripts 

for interviews and downloaded job postings from US companies. 

For the attack to be successful, the victims need to download and run two types of previously unseen malware - one called BeaverTail, and the other one called InvisibleFerret. While BeaverTail is a JavaScript-based piece of malware hidden inside an npm package, InvisibleFerret is a “simple but powerful” Python-based backdoor. Both samples can be run on Windows, macOS, and Linux devices.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.