Hackers linked to North Korea have been discovered using fake job interviews to target developers in the tech industry, deploying updated malware variants known as BeaverTail and InvisibleFerret.
This malicious campaign, tracked as CL-STA-0240 and dubbed “Contagious Interview,” was first disclosed in November 2023 by researchers. The attackers pose as potential employers, contacting developers through job platforms and offering fake online interviews.
During these interviews, the victims are tricked into downloading malware under the guise of completing coding assignments.
The first stage of the attack involves the BeaverTail downloader, a tool capable of infecting both Windows and macOS systems. It facilitates the installation of InvisibleFerret, a Python-based backdoor that gives the hackers remote access to the victim’s device. Despite the public exposure of this campaign, it remains active, signaling that the attackers are still finding success.
The strategy behind the attacks includes fake Windows and macOS video conferencing apps that impersonate legitimate platforms. Security researchers analyzed these attacks, noting that despite being exposed, the hackers’ tactics haven’t changed significantly, largely because of the effectiveness of their social engineering techniques.
By posing as recruiters and exploiting the trust of job seekers, these threat actors have developed a highly successful method of infiltrating developers’ systems.
The newer version of BeaverTail is built using the cross-platform Qt framework, making it more flexible and allowing the malware to run on both Windows and macOS. Once installed, it can steal browser passwords, access cryptocurrency wallets, and collect sensitive data.
The malware also serves as a gateway for installing InvisibleFerret, which enables remote control of infected devices, keylogging, and exfiltration of sensitive information, including browser credentials and credit card data. The attackers seem motivated by financial gain, as BeaverTail can steal data from various cryptocurrency wallets.
To prevent falling victim to these types of attacks, job seekers and developers should be vigilant when interacting with potential employers online. Avoid downloading any files from unknown sources, and be cautious of job offers or assignments that require software installations.
Companies should also raise awareness among employees about such social engineering tactics, helping to prevent attackers from exploiting trust in professional settings.
