Today > 2 Critical | 3 High | 25 Medium vulnerabilities   -   You can now download lists of IOCs here!

North Korean remote workers landing jobs in the West

Nov. 6, 2024, 11:34 a.m.

Description

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devices across various operating systems. The campaign steals sensitive data, including source code and cryptocurrency information. WageMole leverages stolen data to create fake identities, using generative AI to acquire and perform jobs. The actors aggressively target developers through social media and job platforms, focusing on web, cryptocurrency, and AI roles. They use sophisticated techniques to bypass background checks and secure legitimate remote positions, particularly in small to mid-sized businesses.

Date

Published: Nov. 6, 2024, 11:06 a.m.

Created: Nov. 6, 2024, 11:06 a.m.

Modified: Nov. 6, 2024, 11:34 a.m.

Indicators

w3capi.marketing

d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e

f3ead5405456b1d0a176c817bda8096c16a2c33df51526084fed6a4f46f9e636

f06323e253b5dd6a2759ffd04452241c2a4020115aece5fc02da90918a53cf7b

da8e2c248dbb92e62fa3d270ac3d32e52e23827e452bab5d945dd7f3cbd9851a

bf411c4d1275136d29cb001a1521f49c67f86fe944f97ea5352d18996fce60e7

bc2a2efcb085d209e1358d2bfe57cd348c4b8f6f3f02fb0ee80e688a9ec3a318

bc20cd53badb77404b2f82ea9107f7d9e9c7e4a0ebd8793a52227ea887d91ba7

720df4162feaa5ca1cbf19b4d30a7b7c5ea2e0128e6a4978c448d2ccb78e5f1b

6c905ea5c116aabf9328b314a1d32538206113b9a2c700e6d1490df46e65ee94

de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170

fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0

dcde59721b78e6797ee7f79c0e19c4a1c5a7806d20cbfa4a6ebb8efca189baf3

d8806fb404bf29e4a3941c912cbb48553ad5340e1b7195a94e6abf8d75b9102c

d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6

d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763

cd13a9c92210ada940a44769874dd6716f85c4e4e9d7323ec5789c7b253d937d

c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97

b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8

b378d389fd31c6cb65fc85ea960b609049c5f97266cafcbfc6d261fa09355cc0

9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4

9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c

9110515c2d5f6f48871f0631f411d55f2f0307286e6678952f5d86abe5ce11a9

36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670

24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305

0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132

0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd

000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923

bc4a082e2b999d18ef2d7de1948b2bfd9758072f5945e08798f47827686621f2

45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e

33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2

67.203.7.163

23.254.244.242

23.106.253.215

23.106.253.209

166.88.132.39

135.181.242.24

95.164.17.24

45.140.147.208

23.106.253.194

185.235.241.208

172.86.97.80

172.86.123.35

167.88.168.152

147.124.214.129

147.124.213.11

147.124.213.29

147.124.212.89

147.124.212.146

67.203.7.245

147.124.214.237

67.203.7.171

147.124.214.131

payloadrpc.com

regioncheck.net

mirotalk.net

Attack Patterns

BeaverTail

InvisibleFerret

North Korean threat actors

T1071.002

T1566.003

T1059.006

T1560.001

T1555.003

T1059.007

T1071.001

T1204.002

T1005

T1082

T1083

T1041

Additional Informations

Construction

Retail

Technology

Healthcare

Defense

Finance

Estonia

British Indian Ocean Territory

Nigeria

Kenya

India

Spain

Japan

Pakistan

United Kingdom of Great Britain and Northern Ireland

United States of America

Russian Federation