Unit 42 researchers uncovered two North Korea–linked campaigns targeting job seekers: Contagious Interview, which lures developers via fake interviews to install malware, and Wagemole, which uses forged identities to seek remote employment. The campaigns introduced two cross-platform malware families, BeaverTail and InvisibleFerret, and researchers provide recommendations for applicants and employers. #BeaverTail #InvisibleFerret
Keypoints
- Two North Korea–linked campaigns target job seekers: Contagious Interview (CL-STA-0240) and Wagemole (CL-STA-0241), with different confidence levels.
- Contagious Interview lures developers via fake job interviews and GitHub-hosted NPM packages that install backdoor malware.
- BeaverTail is a JavaScript-based loader/information stealer delivered in NPM packages; it hides in Node.js environments and downloads the next stage (InvisibleFerret).
- InvisibleFerret is a cross-platform Python backdoor providing fingerprinting, remote control, keylogging, and browser-wallet data theft, with modules and AnyDesk delivery.
- Wagemole collects fake resumes and interview scripts from exposed GitHub data to obtain remote IT roles and potentially support NK weapons program funding via wages routing.
- BeaverTail and InvisibleFerret communicate with a C2 over JSON/TCP, with a structured command set, and exfiltrate data like wallet data and system info to the C2 server.
- Attribution links both campaigns to North Korea state-sponsored threat actors; high confidence for Wagemole, moderate confidence for Contagious Interview; both ongoing threats.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The threat actor delivers a malicious NPM package hosted on GitHub that the victim is instructed to install during the online interview. “During the interview, the threat actor convinces the victim to download and install an NPM-based package hosted on GitHub.”
- [T1059.007] JavaScript – BeaverTail is JavaScript-based malware hidden inside Node Package Manager (NPM) packages.
- [T1027] Obfuscated/Compressed Files and Information – BeaverTail JavaScript file inside NPM package is heavily obfuscated to evade detection.
- [T1059.006] Python – InvisibleFerret is cross-platform Python backdoor retrieved and executed by BeaverTail NPM packages.
- [T1555.003] Credentials from Web Browsers – InvisibleFerret can steal browser data and credentials, including browser wallet information.
- [T1071.001] Web Protocols – C2 communications occur over HTTP/TCP with JSON messages exchanged between the infected host and the C2 server.
- [T1041] Exfiltration Over C2 Channel – Data such as wallet data and system information is exfiltrated to the C2 server via HTTP POST requests.
Indicators of Compromise
- [Hash] BeaverTail files – 09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86, 0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1, and 2 more hashes
- [Hash] DLLs downloaded by BeaverTail – da6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc, 2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44, and 1 more hash
- [Hash] InvisibleFerret files – 35434e903bc3be183fa07b9e99d49c0b0b3d8cf6cbd383518e9a9d753d25b672, 305de20b24e2662d47f06f16a5998ef933a5f8e92f9ecadf82129b484769bbac, and 1 more hash
- [Domain] Contagious Interview domain – blocktestingto[.]com
- [IP] Contagious Interview IPs – 144.172.74[.]48, 144.172.79[.]23, and 2 more IPs
- [Browser Extension ID] Wallet-related extensions observed – fhbohimaelbohpjbbldcngcnapndodjp, aeachknmefphepccionboohckonoeemg, and 1 more
- [File] Suspicious GitHub file – ServiceWorker.js