North Korean Hackers Use Fake Crypto Firms to Spread Malware

North Korean hackers, specifically the state-sponsored group Lazarus, have escalated their tactics by employing more sophisticated and deceptive methods. According to a report by a cybersecurity firm, the group has established fake US-based crypto companies to distribute malware under the guise of job opportunities.

The report highlights that a subgroup of Lazarus, known as “Contagious Interview,” is responsible for registering three fraudulent crypto consulting firms: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These shell companies are designed to appear as legitimate entities within the blockchain industry, aiming to attract developers through fake job interviews.

Zach Edwards, a senior threat analyst, noted that while Lazarus has previously used job interview lures, this latest campaign represents the most advanced version yet. Edwards stated, “They have now crossed the rubicon – they are willing to register a fake business and go through all the supposed KYC checks involved with that process, and were successful in the effort.”

The fake interview process typically begins with a request for an introductory video. When applicants encounter an error while trying to upload the video, they are provided with a quick-fix solution involving a copy-and-paste command. Unbeknownst to the applicants, this command secretly delivers malware to their devices. Edwards explained, “During the job application process an error message is displayed as someone tries to record an introduction video and the ‘solution’ is an easy ‘click fix’ copy and paste trick, which leads to malware if the unsuspecting developer completes the process.”

The malware used in this campaign includes three distinct strains: BeaverTail, InvisibleFerret, and OtterCookie. These tools enable hackers to gain remote access to victims’ devices and extract sensitive information. To further obscure their activities, the attackers utilize services like Astrill VPN and residential proxies, making their infrastructure challenging to trace.

In addition to malware, the North Korean attackers leverage AI-generated identities to carry out their activities. The cybersecurity firm discovered that the threat actors use AI tools like Remaker AI to create fake employee photos. In some cases, they alter real images to produce deceptive profiles that appear nearly authentic. Edwards noted, “There are numerous fake employees and stolen images from real people being used across this network…In one of the [cases], the threat actors took a real photo from a real person, and then appeared to have run it through an ‘AI image modifier tool’ to create a subtly different version of that same image.”

This evolution in cybercrime targeting the crypto space is alarming. The combination of malware, social engineering, and AI-generated identities indicates a growing threat. Edwards concluded, “This investigation is a perfect example of what happens when threat actors continue to uplevel their efforts one campaign after the next, without facing justice.”