Programming interviews for software development roles are a common practice in the tech industry. However, it is rare for these interviews to involve code designed to secretly steal sensitive data from job candidates’ computers.
“He wanted me to open up a full stack application and explain the code. I did, but I ran it in a [virtual machine] (because you should NEVER run random code that you do not understand from a suspicious party), and he was not happy,” said Richard Chang, a software engineer, posting on LinkedIn, sharing his experience with what turned out to be a fake recruiter.
“He kept giving excuses about how it needed to be run in an actual machine because of Windows … issues. The code however is malicious (yes, Javascript code can be evil),” Chang added. The “surprisingly sophisticated” code was actually designed to surreptitiously scan for logs and passwords stored on the computer, he explained.
The phony recruiter, Onder Kayabasi, has since been removed from LinkedIn. However, this is not the first time that that entity has targeted job seekers for digital theft.
Kayabasi’s case was not an isolated incident. In fact, Chang’s experience bore similarities to tactics used by North Korea-backed hackers who impersonate legitimate job recruiters seeking to install information-stealing malware on candidates’ devices. These schemes, including Kayabasi’s, are detailed in new findings from Unit 42, the cyber threat intelligence division at Palo Alto Networks.
Unit 42 has been monitoring the North Korea-aligned operation since last November, but a new report released Wednesday reveals that more fake recruiters are emerging online. These imposters are using increasingly sophisticated code to execute their schemes.
According to the analysis, two malware families, known as BeaverTail and InvisibleFerret, have been enhanced to more effectively capture sensitive data from targeted devices. These upgrades increase the malware’s pervasiveness in its data collection efforts.
BeaverTail is typically disguised as a video calling or web conferencing application when deployed on victims’ machines. However, the hackers have enhanced it to work on both Windows and macOS platforms, broadening its ability to target job seekers who fall victim to the data-stealing scheme.
The changes to InvisibleFerret’s code are not as pronounced, but one update allows cyber intruders to search for files that match given patterns. “While its general functionality remains nearly identical, these updates suggest that the malware authors are actively working on the malware’s code in between the waves of their attacks,” the analysis notes.
North Korea is recognized as a major cyber adversary of the West alongside China, Russia, and Iran. However, Pyongyang distinguishes itself from these nations because its cyber operations primarily target data and financial theft, rather than the high-profile hacks aimed at influencing global political discourse that characterize the activities of the others.
The activities monitored by Unit 42 reflect a longstanding effort by North Korea to steal data, intelligence, money, and other resources to support its nuclear missile program. The North has deployed covert operatives worldwide who pose as legitimate technology workers, infiltrating companies to execute long-term schemes inside firms in order to fund Pyongyang’s weapons research.
Last month, Google revealed that several U.S. companies contacted them after discovering they had unknowingly hired North Koreans who used fake identities to secure remote IT positions.
According to South Korea’s Institute for National Security Strategy, North Korea has stolen approximately $1.34 billion in cryptocurrency over the past seven years. More broadly, North Korea acquired around $6.29 billion through illicit activities from 2017 to 2023, the institute added.
In July, the FBI elevated the classification of the DPRK-backed Andariel hacking collective to that of an Advanced Persistent Threat. The agency stated that the group targeted information stored in U.S. government nuclear facilities and research institutes, as well as data related to uranium processing and enrichment, nuclear power plants, radar systems, and various other sectors that bolster the regime’s military capabilities.
“It is essential for individuals and organizations to be aware of such advanced social engineering campaigns. We encourage the community to leverage our findings to inform the deployment of protective measures to defend against such threats,” Palo Alto says.
Related article: North Korean IT workers fund Pyongyang with earnings from illegal gambling sites, intelligence agency reveals
A group of North Korean information technology professionals has reportedly sold thousands of illegal gambling websites to South Korean criminal organizations, funneling their profits back to the North Korean government. According to the South Korean intelligence agency, over a thousand North Korean IT professionals are suspected of generating illicit revenue from overseas, particularly in China, through the sale of such online gambling platforms.
The National Intelligence Service (NIS) on Wednesday revealed details about an illegal online gambling network run by a group of North Korean IT professionals based in Dandong, China. Identified as “Gyonghung Information Technology Co., Ltd,” this group reportedly charged clients $5,000 to create illegal gambling websites and received $3,000 monthly payments for site management. Additionally, they imposed fees ranging from $2,000 to $5,000 on a monthly basis in instances of heightened website traffic. The exact earnings of this group were not disclosed by the NIS. READ MORE
