North Korean remote workers landing jobs in the West
Nov. 6, 2024, 11:34 a.m.
Tags
Description
North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devices across various operating systems. The campaign steals sensitive data, including source code and cryptocurrency information. WageMole leverages stolen data to create fake identities, using generative AI to acquire and perform jobs. The actors aggressively target developers through social media and job platforms, focusing on web, cryptocurrency, and AI roles. They use sophisticated techniques to bypass background checks and secure legitimate remote positions, particularly in small to mid-sized businesses.
Date
Published: Nov. 6, 2024, 11:06 a.m.
Created: Nov. 6, 2024, 11:06 a.m.
Modified: Nov. 6, 2024, 11:34 a.m.
Indicators
w3capi.marketing
d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
f3ead5405456b1d0a176c817bda8096c16a2c33df51526084fed6a4f46f9e636
f06323e253b5dd6a2759ffd04452241c2a4020115aece5fc02da90918a53cf7b
da8e2c248dbb92e62fa3d270ac3d32e52e23827e452bab5d945dd7f3cbd9851a
bf411c4d1275136d29cb001a1521f49c67f86fe944f97ea5352d18996fce60e7
bc2a2efcb085d209e1358d2bfe57cd348c4b8f6f3f02fb0ee80e688a9ec3a318
bc20cd53badb77404b2f82ea9107f7d9e9c7e4a0ebd8793a52227ea887d91ba7
720df4162feaa5ca1cbf19b4d30a7b7c5ea2e0128e6a4978c448d2ccb78e5f1b
6c905ea5c116aabf9328b314a1d32538206113b9a2c700e6d1490df46e65ee94
de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
dcde59721b78e6797ee7f79c0e19c4a1c5a7806d20cbfa4a6ebb8efca189baf3
d8806fb404bf29e4a3941c912cbb48553ad5340e1b7195a94e6abf8d75b9102c
d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763
cd13a9c92210ada940a44769874dd6716f85c4e4e9d7323ec5789c7b253d937d
c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97
b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
b378d389fd31c6cb65fc85ea960b609049c5f97266cafcbfc6d261fa09355cc0
9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
9110515c2d5f6f48871f0631f411d55f2f0307286e6678952f5d86abe5ce11a9
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305
0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
bc4a082e2b999d18ef2d7de1948b2bfd9758072f5945e08798f47827686621f2
45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e
33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2
67.203.7.163
23.254.244.242
23.106.253.215
23.106.253.209
166.88.132.39
135.181.242.24
95.164.17.24
45.140.147.208
23.106.253.194
185.235.241.208
172.86.97.80
172.86.123.35
167.88.168.152
147.124.214.129
147.124.213.11
147.124.213.29
147.124.212.89
147.124.212.146
67.203.7.245
147.124.214.237
67.203.7.171
147.124.214.131
payloadrpc.com
regioncheck.net
mirotalk.net
Attack Patterns
BeaverTail
InvisibleFerret
North Korean threat actors
T1071.002
T1566.003
T1059.006
T1560.001
T1555.003
T1059.007
T1071.001
T1204.002
T1005
T1082
T1083
T1041
Additional Informations
Construction
Retail
Technology
Healthcare
Defense
Finance
Estonia
British Indian Ocean Territory
Nigeria
Kenya
India
Spain
Japan
Pakistan
United Kingdom of Great Britain and Northern Ireland
United States of America
Russian Federation