North Korean remote workers landing jobs in the West

Nov. 6, 2024, 11:34 a.m.

Description

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devices across various operating systems. The campaign steals sensitive data, including source code and cryptocurrency information. WageMole leverages stolen data to create fake identities, using generative AI to acquire and perform jobs. The actors aggressively target developers through social media and job platforms, focusing on web, cryptocurrency, and AI roles. They use sophisticated techniques to bypass background checks and secure legitimate remote positions, particularly in small to mid-sized businesses.

External References

https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/packed_beavertail_hashes.txt
https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/c2s.txt
https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/beavertail_installation_package_hashes.txt
https://raw.githubusercontent.com/ThreatLabz/iocs/refs/heads/main/contagiousinterview/beavertail_hashes.txt
https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west
https://otx.alienvault.com/pulse/672b4dd2c7b9f03eb412d8ff
Tags
social engineering
cryptocurrency
data theft
beavertail
contagious interview
invisibleferret
2024-11-06
wagemole
sanctions evasion
remote work
job fraud

Date

  • Created: Nov. 6, 2024, 11:06 a.m.
  • Published: Nov. 6, 2024, 11:06 a.m.
  • Modified: Nov. 6, 2024, 11:34 a.m.

Indicators

  • w3capi.marketing
  • d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
  • f3ead5405456b1d0a176c817bda8096c16a2c33df51526084fed6a4f46f9e636
  • f06323e253b5dd6a2759ffd04452241c2a4020115aece5fc02da90918a53cf7b
  • da8e2c248dbb92e62fa3d270ac3d32e52e23827e452bab5d945dd7f3cbd9851a
  • bf411c4d1275136d29cb001a1521f49c67f86fe944f97ea5352d18996fce60e7
  • bc2a2efcb085d209e1358d2bfe57cd348c4b8f6f3f02fb0ee80e688a9ec3a318
  • bc20cd53badb77404b2f82ea9107f7d9e9c7e4a0ebd8793a52227ea887d91ba7
  • 720df4162feaa5ca1cbf19b4d30a7b7c5ea2e0128e6a4978c448d2ccb78e5f1b
  • 6c905ea5c116aabf9328b314a1d32538206113b9a2c700e6d1490df46e65ee94
  • de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
  • fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
  • dcde59721b78e6797ee7f79c0e19c4a1c5a7806d20cbfa4a6ebb8efca189baf3
  • d8806fb404bf29e4a3941c912cbb48553ad5340e1b7195a94e6abf8d75b9102c
  • d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
  • d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763
  • cd13a9c92210ada940a44769874dd6716f85c4e4e9d7323ec5789c7b253d937d
  • c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97
  • b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
  • b378d389fd31c6cb65fc85ea960b609049c5f97266cafcbfc6d261fa09355cc0
  • 9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
  • 9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
  • 9110515c2d5f6f48871f0631f411d55f2f0307286e6678952f5d86abe5ce11a9
  • 36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
  • 24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305
  • 0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
  • 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
  • 000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
  • bc4a082e2b999d18ef2d7de1948b2bfd9758072f5945e08798f47827686621f2
  • 45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e
  • 33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2
  • 67.203.7.163
  • 23.254.244.242
  • 23.106.253.215
  • 23.106.253.209
  • 166.88.132.39
  • 135.181.242.24
  • 95.164.17.24
  • 45.140.147.208
  • 23.106.253.194
  • 185.235.241.208
  • 172.86.97.80
  • 172.86.123.35
  • 167.88.168.152
  • 147.124.214.129
  • 147.124.213.11
  • 147.124.213.29
  • 147.124.212.89
  • 147.124.212.146
  • 67.203.7.245
  • 147.124.214.237
  • 67.203.7.171
  • 147.124.214.131
  • payloadrpc.com
  • regioncheck.net
  • mirotalk.net
Download all indicators here!

Attack Patterns

  • BeaverTail
  • InvisibleFerret
  • North Korean threat actors

Additional Informations

  • Construction
  • Retail
  • Technology
  • Healthcare
  • Defense
  • Finance
  • Estonia
  • British Indian Ocean Territory
  • Nigeria
  • Kenya
  • India
  • Spain
  • Japan
  • Pakistan
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Russian Federation