North Korean IT Worker Using Weaponized Video Conference Apps To Attack Job Seakers

North Korean IT workers, operating under the cluster CL-STA-0237, have been implicated in recent phishing attacks leveraging malware-infected video conference apps. 

The group, likely based in Laos, has demonstrated a sophisticated approach, infiltrating a U.S.-based SMB IT services company to gain access to sensitive information and secure a position at a major tech company. 

It aligns with broader North Korean cyber operations, including support for WMD and ballistic missile programs, as the shift towards more aggressive malware campaigns and the global reach of these IT workers highlight the evolving threat landscape.

North Korean threat actor CL-STA-0237, linked to the MiroTalk phishing campaign, compromised a U.S.-based SMB IT services company. 

The actor stole sensitive company information and gained control over multiple IT infrastructure and management accounts, which allowed CL-STA-0237 to impersonate the company to apply for IT jobs or potentially target job seekers with malware. 

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

It remains unclear whether the actor was an employee or had a partnership with the company, highlighting the potential risks of outsourcing IT services. 

The hackers used multiple fake identities to conduct cyberattacks, while one specific actor, CL-STA-0237, created fake resumes with stolen photos, likely taken during video conferences with potential employers.

Analysis of geolocation data and timestamps suggests this actor may have been physically present in Laos during late 2020 to mid-2021, which differs from previous campaigns linked to China and Russia, indicating a shift in operational tactics.

CL-STA-0237 successfully infiltrated a major tech company in 2022 by creating a legitimate employee account, which provided access to the company’s single sign-on system, granting the threat actor broad access to sensitive company data and systems. 

The compromised account was most likely used to facilitate cyber operations against the targeted organization that were not only persistent but also potentially impactful. 

Recent investigations by Palo Alto Networks suggest the Contagious Interview campaign may be linked to the notorious North Korean threat actor, Lazarus. 

While the exact role of IT workers involved remains unclear, their potential assistance to other hacking groups is evident. Meanwhile, the Wagemole campaign has seen new developments. 

Ethereum wallets tied to one of its clusters transferred significant funds to a wallet belonging to sanctioned North Korean individual Sang Man Kim. 

Kim’s involvement in managing the finances of overseas North Korean IT workers strengthens the connection between the campaign and North Korea’s illicit activities.

North Korean threat actors are increasingly leveraging job-related campaigns to fund illicit activities, which involve both subtle infiltration through fake IT worker personas and more aggressive tactics like insider threats and malware attacks. 

To counter this growing threat, organizations must strengthen their security measures, including vigilant monitoring for insider threats, rigorous vetting of outsourced services, and strict enforcement of corporate device usage policies to prevent unauthorized personal activities.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free