North Korean hackers created US shell companies to distribute malware to crypto developers through fake job interviews.
Table of Contents
North Korean hackers targeted cryptocurrency developers by creating fraudulent US companies (Softglide and Blocknovas).
According to security firm Silent Push, North Korean hackers have set up phony businesses in the US as part of a plan to target and infiltrate bitcoin innovators.
The operation, which was made public on Thursday, demonstrates how these threat actors are changing their strategies to look more authentic while engaging in cyber theft and espionage.
alse names and addresses in New York and New Mexico were used to establish two companies, Blocknovas and Softglide. Angeloper Agency, a third business, was also found to be involved in the scam.
This operation has been associated by security researchers with the “Contagious Interview” branch of the Lazarus Group.
In recent years, the North Korean-backed Lazarus Group has stolen billions of dollars’ worth of cryptocurrencies using ever-more-advanced methods that target both people and businesses.
Sophisticated Hiring Scam
The hackers’ strategy is successful and deceptive. To draw in bitcoin developers, they publish job openings and fabricate profiles akin to those on LinkedIn.
Candidates are fooled into installing malicious software under the guise of job application tools throughout the hiring process.
According to Kasey Best, director of threat intelligence at Silent Push, “this is a rare example of North Korean hackers actually managing to set up legal corporate entities in the US in order to create corporate fronts used to attack unsuspecting job applicants.”
When victims attempt to film an introductory video during phony interviews, they are presented with an error message.
Users must “click, copy, and paste” in order to use the provided remedy, which infects their systems with malware.
Silent Push named several of the operation’s victims. Out of the three front firms, Blocknovas was the most active, according to the corporation.
Softglide was registered through a tax agency in Buffalo, New York, but its South Carolina location seems to be an empty lot.
The AI Deception and the Malware Arsenal
At least three distinct virus strains that have been linked to North Korean cyber teams in the past are used in the campaign. These consist of Otter Cookie, BeaverTail, and InvisibleFerret.
BeaverTail’s main purpose is to load more malware and steal information. InvisibleFerret and OtterCookie target private data, such as clipboard contents and bitcoin wallet keys.
The applications have the ability to remotely access compromised systems, steal data, and act as gateways for more ransomware or malware. At least one victim had their MetaMask wallet compromised, according to security researchers.
Additionally, the hackers created realistic-looking phony employment profiles using artificial intelligence. “This network has a lot of phony employees and stolen photos of real people,” said Zach Edwards, senior threat analyst at Silent Push.
In certain instances, the attackers used artificial intelligence (AI) techniques to alter genuine photographs of real people to produce marginally different images. By using reverse image searches, this method makes it more difficult to identify the fraudulent profiles.
Response of Law Enforcement
As part of a law enforcement operation against these North Korean cyber operators, the FBI has taken control of the Blocknovas domain.
The website was removed “as part of a law enforcement action against North Korean cyber actors who utilized this domain to deceive individuals with fake job postings and distribute malware,” according to a notice posted on the website.
While Blocknovas has been shut down, Silent Push claims that “Softglide is still live, along with some of their other infrastructure.”
Since the beginning of 2024, this malware campaign has been running. Some of the largest cyber thefts in the cryptocurrency field, such as the $600 million Ronin network hack and the $1.4 billion Bybit hack, are thought to have been committed by the Lazarus Group.
As per Blockonomi – In March, at least three cryptocurrency inventors stated that they had stopped suspected North Korean hackers from using phony Zoom calls to steal private information, demonstrating how these groups are constantly changing their strategies as security awareness rises.
Read more
Trump Meme Coin Surges 60%: Current Price Insights, Reasons for Growth
Crypto Scam : Feds Charged 3 Firms, 15 People in Crypto Manipulation Scandal
MetaBirkin NFT Case: Appeals Court Questions Hermès’ Success
Zach Cooper is an experienced Crypto & Financial news journalist, having written for Moneycheck.com, The wall street, Computing.net and is Editor in Chief at wallstreetsights.com
