North Korean hackers are at it again — phishing scheme targets hundreds of workers to try and steal crypto and more

Security researchers at Proofpoint published an in-depth report looking into an ongoing campaign not unlike the Contagious Interview one.

For those unaware of Contagious Interview, it is one of two major Lazarus campaigns, the second one being Operation DreamJob. The crooks would fake everything - a company, its employees, as well as projects, and then go to LinkedIn for a “hiring spree.” They would reach out to software developers working in high-profile AI and Web 3 organizations and would offer high-paying jobs and a chance to work on exciting new projects.

Similarities and differences

The hiring process, however, would include a trial assignment, which often required the victims to run malicious code from GitHub. After infecting their targets with infostealers, the crooks would access company profiles, exfiltrate crypto wallet information, and then steal as many tokens as possible.

According to some sources, Lazarus alone was able to steal billions of dollars in crypto throughout the years.

While UNK_DeadDrop is more-or-less doing the same thing, its approach is somewhat different. Instead of using LinkedIn for initial contact, these attackers rely mostly on email. They don’t arrange fake interviews, but rather just send unsolicited job offers or code review requests. And finally, they use a new, self-contained payload distinct from what was previously seen in Contagious Interview campaigns.

“UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint’s researchers concluded.

“The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.”

Via The Register