Threat actors linked to North Korea, posing as Web3 recruiters, are targeting job seekers to install crypto-stealing malware on their devices.
The fraudsters are misleading the unassuming job applicants into downloading the corrupted software, under the guise of a video call application, to wreak havoc.
As initially detailed by cybersecurity firm Palo Alto’s Unit 42, the malware is sophisticated enough to penetrate 13 different crypto wallets, including BNB Chain, Crypto.com, Exodus, MetaMask, Phantom, and TronLink.
It has been claimed the perpetrators are likely carrying out the actions on behalf of the authorities in North Korea, with the proceeds supporting Kim Jong Un’s regime. Last month, the FBI reported North Korea was aggressively similarly targeting crypto businesses.
The report from Unit 42 stated the novel variant of a previously detected version of malware is able to target both Windows and macOS.
The researchers first detailed the ‘contagious interview campaign’ back in November 2023, observing continued activity from the threat actors over the last year, including code updates to two types of malware used in the attack.
They are the BeaverTail downloader and the InvisibleFerret backdoor.
The former is the initial malware infostealer, executing its malicious code in the background without any visible trace.
How does the Web3 scam, malware attack work?
Beware of a rising scam targeting blockchain and web3 developers with fake job offers.
Scammers lure with great opportunities, have you download code, and infect your system with malware hidden in the files.
Learn more and stay safe:https://t.co/TffAoWALeB pic.twitter.com/E7B8xhFXaP
— chrisdior.eth (@chrisdior777) October 9, 2024
The attackers set the trap by purporting to be Web3 recruiters. What they want is to gain access to the devices of job seekers in the tech industry, particularly those believed to have substantial crypto holdings.
The scammers hone in on software developers through job search platforms, before inviting them to an online interview. Next, they strive to convince the target to download and install the malware, under the pretense of a video call app.
If they are duped, the malicious code will quietly get to work in the background, quickly penetrating crypto wallets to steal the assets.
There have been many warnings posted online about this form of fraud and social engineering, including an article posted to Medium.
The author, known as Hainer, advised the malicious campaigns “aim to infect, steal information and cryptocurrencies from people, particularly developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains.”
“Onder Kayabasi” was the name of the account that contacted the author on LinkedIn, and although that profile is no longer available, a user account of the same name is still visible on Elon Musk’s X social media platform.
Image credit: Via Ideogram
The post Fake Web3 recruiters, linked to North Korea, installing crypto-stealing malware appeared first on ReadWrite.
