North Korean Hackers Wipe Cryptocurrency Wallets via Fake Job Interviews

Cybersecurity experts have uncovered a new wave of cyberattacks linked to North Korean threat actors targeting cryptocurrency wallets in an operation dubbed the “Contagious Interview” campaign.

The attackers employ sophisticated phishing tactics under the guise of job interviews, exploiting platforms like LinkedIn to target unsuspecting job seekers.

Modus Operandi of the Attack

The campaign begins with victims being contacted by cybercriminals posing as recruiters. These individuals direct victims to fraudulent websites designed to impersonate legitimate recruitment platforms like the Willo candidate screening site.

After simulating a technical error, these fake sites prompt potential victims to download a malicious “fix.” Once executed, this script delivers a payload containing malware aimed at draining cryptocurrency wallets.

The campaign has been active since late 2024, with experts warning of its implications for victims across multiple operating systems, including Windows, macOS, and Linux.

Notably, the attackers use cross-platform tools such as Golang to execute their malicious code.

Technical Analysis

The malicious payload, often distributed as a ZIP file named VCam_intel.zip, includes a range of tools aimed at persistent system infection and data theft.

The malware employs a sophisticated approach, combining shell scripts and Golang-based programs to deploy a backdoor and a credential-stealing mechanism.

One notable component, ChromeUpdateAlert.app, is designed specifically for macOS and mimics a legitimate Chrome update process to deceive users and steal credentials.

It displays a fake microphone permission alert, prompting victims to enter their system password, which is then exfiltrated to the attackers using Dropbox.

The malware’s key functions include the ability to exfiltrate sensitive files, such as cryptocurrency wallet data, and execute shell commands remotely, providing attackers with significant control over the compromised system.

It also modifies Chrome browser preferences, likely to facilitate the deployment of malicious extensions targeting the MetaMask wallet.

Additionally, the malware is capable of extracting Chrome cookies, passwords, and macOS Keychain data, enabling attackers to access stored credentials and other sensitive information.

This highlights the importance of maintaining strong security practices, including scrutinizing unexpected permission requests and keeping security tools updated.

The malware operates via a persistent service registered on the host system and communicates with its command-and-control (C2) server to execute various commands.

The primary objective of this campaign appears to be cryptocurrency theft. The attackers seek to harvest cryptocurrency wallet data by targeting applications like MetaMask.

This effort aligns with broader North Korean state-sponsored campaigns aimed at funding their regime through cybercrime.

Numerous reports estimate that North Korea has stolen billions in cryptocurrency over the past several years.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Key Findings

Security researchers, including @tayvano_ and @500mk500, played a vital role in identifying the domains and hashes associated with this campaign.

The malicious domains, such as api.camera-drive[.]cloud and api.nvidia-cloud[.]online, were used to host and distribute the infected payloads.

The malware exhibits sophisticated capabilities, including architecture detection and cross-platform compatibility.

Further analysis of the malware revealed the use of previously known malicious domains and tactics, such as those linked to trojanized npm packages.

These connections highlight the evolution and adaptability of North Korean-affiliated cybercrime campaigns.

The malware’s Golang code contains several advanced features:

• Persistent Backdoor: Maintains a constant connection with the C2 server, enabling attackers to execute commands and leverage data-stealing tools.
• Targeting Chrome User Data: Focuses on the “Local Extension Settings” directory to identify and exploit MetaMask wallet extensions.
• Multi-Level Commands: Incorporates commands for uploading/downloading files, executing shell commands, and extracting Chrome preferences and cookies.

Immediate Actions for Users

To stay protected, experts recommend:

1. Exercise Caution in Job Offers: Verify the authenticity of recruiters and job interviews, especially when asked to download files or share sensitive information.
2. Update Antivirus Solutions: Ensure all systems and antivirus software are up to date to detect and mitigate such threats.
3. Avoid Running Unknown Commands: Be wary of commands or fixes suggested in emails or messages from unknown sources.
4. Use Multi-Factor Authentication (MFA): Secure cryptocurrency wallets and other sensitive accounts with MFA.

For organizations and individuals handling cryptocurrencies, vigilance is imperative to navigate this complex threat landscape.

IOCs for SOC/DFIR Teams

• Golang backdoor/stealer: 60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7
• C2: http://216.74.123[.]191:8080
• ChromeUpdateAlert.app: b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!