In a recent cyber-attack campaign dubbed “Contagious Interview,” North Korean hackers successfully targeted at least 230 individuals by posing as recruiters for prominent cryptocurrency and decentralized finance firms. This campaign, an evolution of a similar operation that began in 2022, primarily lures prospective victims through fake job interview invitations. The attackers, operating in a highly coordinated fashion, impersonate legitimate entities such as Archblock, Robinhood, and eToro and offer enticing roles like Portfolio Manager and Senior Product Manager. They meticulously crafted numerous fake websites and sent hundreds of these fraudulent invitations to individuals in the cryptocurrency and blockchain sectors, who are the primary targets of these sophisticated social engineering attacks.
After a series of back-and-forth communications, the unsuspecting job applicants are directed to an attacker-controlled website to complete a supposed “skill assessment.” This website, however, is a trojan horse designed to infect the victim’s system with malware. The attackers utilize a clever technique called ClickFix, where they display a fabricated error message on the site, instructing the victim to copy and paste a series of commands into a command line window to “fix” the problem. This seemingly innocuous action is actually the final step in the malicious chain, as it executes the malware on the victim’s computer, compromising their system and potentially leading to significant data and financial losses.
The threat actors behind this operation demonstrated a high level of coordination and adaptability. Analysts from SentinelLabs and Validin observed that the hackers actively monitored cyber threat intelligence (CTI) platforms like VirusTotal and Maltrail to stay informed about their own infrastructure’s detection status. They were seen making minimal but effective changes to their existing infrastructure to evade detection, suggesting a deep understanding of cyber defense mechanisms. Furthermore, their use of tools like Slack for internal communication and their careful evaluation of new infrastructure before acquisition highlights the professional and organized nature of their operation, likely operating in teams to investigate and respond to detection alerts.
The “Contagious Interview” campaign is not the only method employed by these North Korean state-sponsored actors to target the decentralized finance industry. In a separate attack, hackers impersonated employees of legitimate investment institutions on Telegram, exploiting a Chrome zero-day vulnerability to compromise an employee’s device and gain persistent access to a DeFi organization’s network. This highlights a broader strategy of using diverse social engineering tactics to infiltrate and compromise high-value targets. The attackers deployed an array of sophisticated tools, including keyloggers, screenshot utilities, and various RATs (Remote Access Trojans) like PondRAT, ThemeForestRAT, and the more advanced RAT RemotePE, to maintain control and exfiltrate data from the compromised network.
These attacks underscore the evolving and persistent threat posed by North Korean hackers to the global financial and cryptocurrency sectors. Their tactics range from large-scale phishing and social engineering campaigns to the exploitation of zero-day vulnerabilities, all aimed at financial gain and intelligence gathering. The use of sophisticated tools and a high degree of coordination among the threat actors make these campaigns particularly dangerous and difficult to defend against. As the cryptocurrency industry continues to grow, so too does the sophistication of the cyber threats it faces, necessitating a proactive and vigilant approach to cybersecurity for both individuals and organizations.
Reference:
