Hundreds of freelance software developers, ranging from junior developers to highly experienced professionals, have been targeted and infected with North Korean malware over the past year, according to a new report from ESET.
The victims, mostly associated with cryptocurrency and decentralized finance projects and English speakers, were targeted with fake job opportunities as part of a widespread campaign tracked as DeceptiveDevelopment.
As part of the attacks, ongoing since early 2024, the threat actors relied on fake personas and copied profiles to pose as software development recruiters and convince victims into downloading software projects that contained malware.
North Korean hackers have been long seen using fake job offers to deliver malware to unsuspecting victims, either for espionage purposes, or for financial gain, and ESET notes that the DeceptiveDevelopment campaign follows the same patterns.
On platforms like LinkedIn, Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List, the attackers are posting fake job offerings or approaching targets who are looking for employment to convince them to download a malicious project.
ESET warns that the targets are asked to inspect the software project, which is delivered either via file transfer or through a link to a private repository on GitHub, GitLab, or Bitbucket, to compile and execute it, and to report back to the fake recruiter with any issues discovered.
Within benign components of the repository, however, the attackers hid malicious code to infect the victim’s machine with BeaverTail, an information stealer and downloader that deploys the InvisibleFerret, a modular Python-based spyware and backdoor on the system.
The two malware families allow the North Korean hackers to harvest and exfiltrate cryptocurrency wallets, credentials, and to deploy additional tools, such as the AnyDesk remote management and monitoring software. The attacks have been targeting Windows, Linux, and macOS devices.
ESET identified two versions of BeaverTail, written in JavaScript and Qt, respectively, featuring similar capabilities, such as the exfiltration of sensitive information from Chrome and Edge.
InvisibleFerret, which has four modules, achieves persistence through the deployment of the AnyDesk module, and requires operator interaction for command execution, data exfiltration, and attack propagation.
The backdoor supports eight commands, allowing attackers to execute shell commands, exfiltrate keylogger and clipboard stealer data, install additional modules, steal files and directories over FTP, terminate browser processes, and remote the malware.
ESET’s investigation into these attacks revealed the use of dedicated servers hosted by commercial hosting providers, and the use of HTTP and TCP sockets for communication with the command-and-control (C&C) server.
“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” ESET notes.
Related: North Korean Fake IT Workers More Aggressively Extorting Enterprises
Related: US, Japan, South Korea Blame North Korean Hackers for $660M Crypto Heists
Related: North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft
Related: FBI: North Korea Aggressively Hacking Cryptocurrency Firms
