朝鲜黑客假扮成招聘者和求职者进行恶意软件攻击

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world.

朝鲜威胁行为者被发现与两个活动有关，其中他们冒充招聘人员和求职者，分发恶意软件，并在美国和世界其他地区非法就业。

The activity clusters have been codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42.

这两个活动集群分别由Palo Alto Networks Unit 42命名为Contagious Interview和Wagemole。

While the first set of attacks aims to "infect software developers with malware through a fictitious job interview," the latter is designed for financial gain and espionage.

第一组攻击旨在通过虚构的职业面试“感染软件开发人员”，而后者则旨在获得财务利益和间谍活动。

"The first campaign's objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks," the cybersecurity company said.

网络安全公司表示：“第一次活动的目标很可能是加密货币盗窃，并利用被入侵的目标作为额外攻击的暂存环境。”

The fraudulent job-seeking activity, on the other hand, involves the use of a GitHub repository to host resumes with forged identities that impersonate individuals of various nationalities.

另一方面，欺诈性求职活动涉及使用GitHub存储库托管带有伪造身份的简历，冒充各国个人。

The Contagious Interview attacks pave the way for two hitherto undocumented cross-platform malware named BeaverTail and InvisibleFerret that can run on Windows, Linux, and macOS systems.

Contagious Interview攻击为两个迄今未记录的跨平台恶意软件BeaverTail和InvisibleFerret铺平了道路，可在Windows、Linux和macOS系统上运行。

It's worth noting that the intrusion set shares tactical overlaps with previously reported North Korean threat activity dubbed Operation Dream Job, which involves approaching employees with potential job offers and tricking them into downloading a malicious npm package hosted on GitHub as part of an online interview.

值得注意的是，这组入侵集共享战术重叠，之前有报道的朝鲜威胁活动被称为Operation Dream Job，涉及通过潜在的工作机会接触员工，并诱使他们下载GitHub上托管的恶意npm软件包作为在线面试的一部分。

"The threat actor likely presents the package to the victim as software to review or analyze, but it actually contains malicious JavaScript designed to infect the victim's host with backdoor malware," Unit 42 said.

Unit 42表示：“威胁行为者很可能向受害者展示该软件包，以进行审查或分析，但实际上它包含了恶意JavaScript，旨在感染受害者主机并植入后门恶意软件。”

BeaverTail, the JavaScript implant, is a stealer and a loader that comes with capabilities to steal sensitive information from web browsers and crypto wallets, and deliver additional payloads, including InvisibleFerret, a Python-based backdoor with fingerprinting, remote control, keylogging, and data exfiltration features.

BeaverTail，JavaScript植入物，是一种窃取器和加载器，具有从Web浏览器和加密钱包中窃取敏感信息以及传递其他有效载荷的功能，包括InvisibleFerret，一种基于Python的后门，具有指纹识别、远程控制、键盘记录和数据泄漏功能。

InvisibleFerret is also designed to download the AnyDesk client from an actor-controlled server for remote access.

InvisibleFerret还设计用于从操纵的服务器下载AnyDesk客户端进行远程访问。

Earlier this month, Microsoft warned that the infamous Lazarus Group sub-cluster referred to as Sapphire Sleet (aka BlueNoroff) has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns.

本月早些时候，Microsoft 警告称，臭名昭著的Lazarus Group子集群Sapphire Sleet（又名BlueNoroff）已建立了模仿技能评估门户的新基础设施，作为其社会工程活动的一部分。

This is not the first time North Korean threat actors have abused bogus modules in npm and PyPI. In late June and July 2023, Phylum and GitHub detailed a social engineering campaign targeting the personal accounts of employees working in technology firms with the goal of installing a counterfeit npm package under the guise of collaborating on a GitHub project.

这不是朝鲜威胁行为者第一次在npm和PyPI中滥用虚假模块。在2023年6月底和7月，Phylum和GitHub详细说明了一场社会工程活动，以在技术公司工作的员工的个人帐户为目标，目的是在GitHub项目合作的幌子下安装伪造的npm软件包。

The attacks have been attributed to another cluster known as Jade Sleet, which is also called TraderTraitor and UNC4899, and has since been implicated in the JumpCloud hack that took place around the same time.

这些攻击被归因于另一个名为Jade Sleet的集群，也被称为TraderTraitor和UNC4899，此后还卷入了同时期发生的JumpCloud黑客事件。

The discovery of Wagehole echoes a recent advisory from the U.S. government, which disclosed North Korea's subterfuge to beat sanctions by dispatching an army of highly-skilled IT workers who obtain employment in several companies globally and funnel back their wages to fund the country's weapons programs.

最近的一份公告来自美国政府，披露了朝鲜通过派遣一支高技能的IT工人冒充全球多家公司的手段，击败制裁，并将工资汇回资助该国的武器计划。

"Some resumes include links to a LinkedIn profile and links to GitHub content," the cybersecurity company said.

网络安全公司表示：“一些简历包含指向LinkedIn个人资料和GitHub内容的链接。”

"These GitHub accounts appear well maintained and have a lengthy activity history. These accounts indicate frequent code updates and socialization with other developers. As a result, these GitHub accounts are nearly indistinguishable from legitimate accounts."

“这些GitHub帐户似乎保养良好，有着悠久的活动历史。这些帐户表明经常进行代码更新，并与其他开发人员社交。因此，这些GitHub帐户几乎无法与合法帐户区分开来。”

"We would create 20 to 50 fake profiles a year until we were hired," a North Korean IT worker who recently defected was quoted as saying to Reuters, which also shared details of the Wagemole campaign.

“我们每年会创建20到50个假档案，直到我们被雇佣。”最近叛逃的一名朝鲜IT工人对路透社说道，该报道还详细介绍了Wagemole活动。

The development comes as North Korea claimed that it has successfully put a military spy satellite into space, after two unsuccessful attempts in May and August of this year.

这一发现出现在朝鲜宣称已成功将一颗军事间谍卫星送入太空之际，此前在今年5月和8月曾有两次不成功的尝试。

It also follows a new attack campaign orchestrated by the North Korea-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.

这也是朝鲜联手Andariel集群进行的新攻击活动之后，该集群是Lazarus的另一个从属元素，通过渗透易受攻击的MS-SQL服务器以及通过使用一款韩国资产管理软件进行供应链攻击，传递Black RAT、Lilith RAT、NukeSped和TigerRAT。

"Software developers are often the weakest link for supply chain attacks, and fraudulent job offers are an ongoing concern, so we expect continued activity from Contagious Interview," Unit 42 said. "Furthermore, Wagemole represents an opportunity to embed insiders in targeted companies."

Unit 42表示：“软件开发人员通常是供应链攻击的最薄弱环节，欺诈性的职位提供仍然是一个持续关注的问题，因此我们预计Contagious Interview将会继续活动。此外，Wagemole代表着将内部人员嵌入目标公司的机会。”

原文始发于微信公众号（知机安全）：朝鲜黑客假扮成招聘者和求职者进行恶意软件攻击