The North Korean-linked Famous Chollima APT group has emerged as a significant and sophisticated threat actor, leveraging a highly deceptive multi-stage attack methodology that weaponizes the job recruitment process. Since December 2022, this group has been actively orchestrating targeted campaigns against job seekers and organizations, exploiting the inherent trust associated with professional networking and employment opportunities. The operation begins with attackers posing as legitimate recruiters or hiring managers who invite potential victims, primarily software developers and IT professionals, to participate in online interviews. This social engineering tactic is remarkably effective as it preys on individuals actively seeking new employment, making them more susceptible to manipulation.
During these seemingly authentic video conference interviews, the threat actors skillfully guide victims into a trap by presenting them with what appears to be a standard technical evaluation or code review. They instruct the targets to download and install malicious NPM packages hosted on GitHub repositories. This phase of the attack is particularly cunning, as it transforms a routine interview practice into a delivery mechanism for malware. By framing the malicious packages as legitimate software requiring technical scrutiny, the attackers effectively bypass initial suspicion and leverage the professional expertise of their targets against them. The choice of targeting software developers and IT professionals is strategic, as these individuals not only possess the technical skills to fall for this ruse but also often have privileged access to sensitive organizational resources.
The delivery mechanism itself represents a sophisticated abuse of GitHub’s trusted infrastructure, turning the platform into an unwitting distribution network for malicious payloads. The attackers create repositories containing NPM packages that are embedded with obfuscated JavaScript code. When executed, this code deploys the InvisibleFerret backdoor. The use of GitHub provides a layer of legitimacy and trust, as developers are accustomed to downloading code from the platform. The malware’s infection chain, as identified by Offensive Security Engineer Abdulrehman Ali, demonstrates the group’s advanced capabilities and meticulous planning.
Once deployed, the InvisibleFerret backdoor establishes a persistent command-and-control (C2) communication channel.
This Python-based malware secures its communication through TCP connections that are encrypted using XOR, making it more difficult to detect and analyze. The primary functions of InvisibleFerret include enabling remote access to the compromised machine and harvesting credentials, allowing the attackers to move laterally within the victim’s network and exfiltrate sensitive data.
The sophistication of this backdoor highlights the group’s technical prowess and their goal of long-term persistence within target environments.
The campaign’s success is rooted in its exploitation of two key demographic vulnerabilities: recently laid-off employees who may still retain access credentials to their former employers, and active professionals seeking freelance opportunities. These groups are more likely to be actively engaged in the job market and more susceptible to an attack disguised as a legitimate employment opportunity. The Famous Chollima APT group’s methodology represents a significant evolution in social engineering tactics, moving beyond simple phishing to a multi-stage, interactive attack that leverages the trust and professional norms of the software development community to achieve its malicious objectives.
Reference:
