North Korean threat actors have used a fake Windows video conferencing application disguised as FreeConference.com to infect developer systems in an ongoing financially-driven campaign known as Contagious Interview.
The recent attack wave was discovered by Group-IB in mid-August 2024 and involved the use of native installers for Windows and Apple macOS to distribute malware.
Contagious Interview, also known as DEV#POPPER, is a malicious campaign conducted by a North Korean threat actor identified as Famous Chollima by CrowdStrike.
The attack starts with a fake job interview where job seekers are tricked into downloading a Node.js project containing the BeaverTail downloader malware. This malware then delivers a cross-platform Python backdoor named InvisibleFerret, which has capabilities such as remote control, keylogging, and browser data theft.
Some versions of BeaverTail, which also acts as an information stealer, have been distributed as JavaScript malware through fake npm packages used in technical assessments during interviews.
In July 2024, fake Windows MSI installer and Apple macOS DMG files posing as the legitimate MiroTalk video conferencing software were discovered in the wild, serving as a way to deploy an updated BeaverTail version.
Group-IB’s latest findings attribute the campaign to the Lazarus Group and suggest that the threat actor continues to use this distribution method, with the only difference being that the installer now pretends to be FreeConference.com (“FCCCall.msi”).
The fake installer is likely downloaded from a website named freeconference[.]io, which is linked to the fictitious mirotalk[.]net website.
“In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others,” said security researcher Sharmine Low.
The threat actors have been observed injecting malicious JavaScript into cryptocurrency- and gaming-related repositories as part of ongoing refinements to the campaign.
BeaverTail now uses Python scripts known as CivetQ to steal data from more cryptocurrency wallet extensions and establish persistence using AnyDesk. The malware targets 74 browser extensions and can retrieve sensitive data from Microsoft Sticky Notes as well.
The emergence of CivetQ indicates a modular approach by Lazarus Group, showing that the tools are constantly evolving and being refined over time.
The FBI recently warned of North Korean cyber actors’ aggressive targeting of the cryptocurrency industry using social engineering attacks to facilitate cryptocurrency theft.
The FBI advisory highlighted that North Korean cyber actors scout potential victims on social media platforms before launching sophisticated social engineering attacks on cryptocurrency-related businesses.
