@www.silentpush.com
//
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.
The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities.
The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group.
Recommended read:
References :
- hackread.com: North Korean Hackers Use Fake Crypto Firms in Job Malware Scam
- The Hacker News: North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
- www.silentpush.com: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
- Anonymous ???????? :af:: Threat analysts have uncovered that North Korea's Contagious Interview APT group is using three front companies to distribute malware strains BeaverTail, InvisibleFerret, and OtterCookie through fake cryptocurrency job offers.
- www.silentpush.com: North Korean APT registers three cryptocurrency companies to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- cyberpress.org: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- bsky.app: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- www.scworld.com: North Korean cyberespionage facilitated by bogus US firms, crackdown underway
- Virus Bulletin: Silent Push researchers have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview. BeaverTail, InvisibleFerret & OtterCookie are being spread from this infrastructure to unsuspecting cryptocurrency job applicants.
- www.scworld.com: New Lazarus campaign hits South Korea BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group
- Cyber Security News: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- PCMag UK security: Okta finds evidence that North Koreans are using a variety of AI services to upgrade their chances of fraudulently securing remote work so they can line their country's coffers or steal secrets.
- malware.news: North Korean Group Creates Fake Crypto Firms in Job Complex Scam
- www.bitdegree.org: North Korean hackers use AI and fake job offers within cryptocurrency companies to distribute malware to unsuspecting job seekers
- cyberpress.org: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- malware.news: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- securityonline.info: Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group,
- securityonline.info: Threat actors are using fake companies in the cryptocurrency consulting industry to spread malware to unsuspecting job applicants.
- Cybernews: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
Ddos@Daily CyberSecurity
//
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.
The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation.
Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats.
Recommended read:
References :
- Security Risk Advisors: Socket Research Team's report
- The Hacker News: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
- ciso2ciso.com: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – Source:thehackernews.com
- Talkback Resources: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages [net] [mal]
- securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
- securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
- www.scworld.com: Malicious npm packages, BeaverTail malware leveraged in new North Korean attacks
- Cyber Security News: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
- cyberpress.org: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages. Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
- Chris Wysopal: Infosec.Exchange post on new supply chain NPM package malware attacks found.
SC Staff@scmagazine.com
//
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.
Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.
Recommended read:
References :
- The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
- BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
- bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
- The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
- socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
- securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
- hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
- Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
- www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
- securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
- BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
- Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
- Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
- securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
- Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
Ojukwu Emmanuel@Tekedia
//
The Bybit cryptocurrency exchange has reportedly suffered a massive security breach, with hackers allegedly linked to North Korea making off with $1.4 billion in Ethereum. This incident is being called potentially the largest crypto theft in history. Experts from multiple blockchain security companies have confirmed that the stolen Ethereum has already been moved to new addresses, marking the initial phase of money laundering.
Ari Redbord, a former federal prosecutor and senior Treasury official, highlighted the "unprecedented level of operational efficiency" displayed by the hackers in rapidly laundering the stolen funds. He suggested that North Korea might have expanded its money laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to process illicit funds. The FBI has also linked North Korea-linked TraderTraitor as responsible for the $1.5 Billion Bybit hack
Recommended read:
References :
- Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine.
- Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
- securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
- infosec.exchange: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum. Bybit also disclosed preliminary results of investigations, which reveal hackers breached a developer’s device at a wallet platform Safe Wallet.
- SecureWorld News: Bybit Hack: FBI Attributes to North Korea, Urges Crypto Sector to Act
- The Register - Security: FBI officially fingers North Korea for $1.5B Bybit crypto-burglary
- PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- Zack Whittaker: your weekly ~ this week in security ~ is out: • North Korea's record-breaking $1.4B crypto heist
- www.cysecurity.news: Bybit Suffers Historic $1.5 Billion Crypto Hack, Lazarus Group Implicated
- infosec.exchange: NEW: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion. Ari Redbord, former federal prosecutor and senior Treasury official, told me this laundering shows “unprecedented level of operational efficiency,� but there's more steps they need to take to cash out. “This rapid laundering suggests that North Korea has either expanded its money laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds,� said Redbord.
- The Record: Experts from multiple blockchain security companies said that North Korean hackers were able to move all of the ETH coins stolen from Bybit to new addresses — the first step taken before the funds can be laundered further
- The Record: A provincial court in Barcelona has ordered that three former senior executives at NSO Group be indicted for their alleged role in a high-profile hacking scandal in which at least 63 Catalan civil society members were targeted with the company’s surveillance technology
- Know Your Adversary: News item discussing the massive Bybit crypto theft, potentially the largest in history.
- Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit
- The Hacker News: Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist
|
|
FlagThis - #beavertail