Read more about North Korean fake IT workers:
- US Government Warns Firms to Avoid Hiring North Korean IT Workers
- North Korean Hackers Targeted Cybersecurity Firm KnowBe4 with Fake IT Worker
- North Korea Escalates Fake IT Worker Schemes to Extort Employers
North Korean hackers have used the BeaverTail malware in phishing campaigns that target job seekers in the technology sector via fake recruiters, according to Palo Alto Networks.
Unit 42, Palo Alto’s research team, observed that a North Korean IT worker activity cluster tracked as CL-STA-0237 and likely operating from Laos, was involved in recent phishing attacks using BeaverTail-infected video conference apps.
Background on BeaverTail
The BeaverTail malware is distributed through files disguised as legitimate applications, such as MiroTalk and FreeConference, deceiving victims into installing the malicious software.
Details about BeaverTail were initially reported by Unit 42 in November 2023.
Twelve months ago, the malware was used as a part of a phishing campaign called ‘Contagious Interview ‘ involving a North Korean threat cluster tracked as CL-STA-240.
The campaign has since evolved, with new malware versions including a downloader compiled using the cross-platform Qt framework. This allows attackers to deploy malware on both macOS and Windows systems from a single source code.
Additionally, code updates have been made to the InvisibleFerret backdoor, which enables further control of infected devices.
Get the Job, Then Spread Malware
In a new report published on November 14, 2024, Unit 42 observed CL-STA-0237, another North Korean threat group, leveraging BeaverTail for a campaign that started as early as 2022.
First, CL-STA-0237 registered new internet domains associated with a July 2024 MiroTalk fake job campaign.
The group exploited information from a US-based IT services company and controlled multiple IT infrastructure and management accounts that belonged to the company.
A persona linked to the group listed the company as its employer, citing employment since 2019 in some of its fake resumes. It also managed email accounts that mimicked the company’s owner, using them to apply for other jobs.
The Unit 42 researchers assessed that the group either stole the US company’s access credentials or that someone from the group was hired as an IT worker in the company or an outsourcing partner, which allowed them to gain access to the company’s infrastructure.
The researchers also believe that members of CL-STA-0237 likely secured multiple short-term and long-term jobs from companies of various sizes, including a potential role in one major tech company in 2022.
The group used these positions to target job seekers with BeaverTail malware infections.
North Korean IT Workers Go Phishing
The Unit 42 researchers believe that CL-STA-0237 is another cluster of a broader network of North Korean IT workers supporting the nation's illicit activities, including the development of weapons of mass destruction (WMD) and ballistic missile programs.
It also shows that North Korean fake IT workers are no longer deployed only for stable income-seeking activities but also to spread phishing campaigns and deploy malware across the world.
Upon analyzing CL-STA-0237’s online presence, including the IP addresses the group used and one persona’s profile pictures and metadata, Unit 42 assessed that the group operates from Laos.
The Southeast Asian country is one of the preferred countries for the North Korean IT workers deployment.
Unit 42 also cautioned: “Since our previous report on the two job-related campaigns, some researchers have begun attributing the Contagious Interview campaign to the well-known North Korean threat group, Lazarus. However, we are not certain whether the IT workers led the attacks or simply assisted other hacking groups.”
This is why the researchers continue using temporary cluster names such as CL-STA-240 and CL-STA-0237.
Mitigating the IT Worker Threat
Unit 42 shared recommendations for companies to prevent infiltration by North Korean IT workers or at least mitigate the threat.
Some of these measures include:
- Strengthening their hiring screening processes
- Implementing robust monitoring to identify insider threats (e.g. Using a risk matrix)
- Keeping accessible records of IT asset distribution
- Thoroughly evaluating outsourced services
- Ensuring that employees do not use corporate machines for personal activities
- Scrutinizing anomalous IP addresses
- Enforcing the zero-trust principle of least privilege
- Engaging specialized firms offering identity document verification services to mitigate the risks associated with manipulated identification documents