Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
Contents
Executive Summary
Unit 42 has tracked activity from threat actors associated with the Democratic People’s Republic of Korea (DPRK), where they pose as recruiters to install malware on tech industry job seekers’ devices. We call this activity the CL-STA-240 Contagious Interview campaign, and we first published about it in November 2023. Since that publication, we’ve observed additional online activity from the fake recruiters, as well as code updates to two pieces of malware associated with the campaign; the BeaverTail downloader and the InvisibleFerret backdoor.
The BeaverTail malware associated with this campaign has been compiled using the Qt framework as early as July 2024. We have observed multiple samples of BeaverTail that are compiled for both macOS and Windows platforms. In addition, we observed continuous code updates to the InvisibleFerret backdoor delivered by the BeaverTail downloader.
In this article, we will discuss the online activity of fake recruiters and technical details of the campaign, …
Unit 42 has tracked activity from threat actors associated with the Democratic People’s Republic of Korea (DPRK), where they pose as recruiters to install malware on tech industry job seekers’ devices. We call this activity the CL-STA-240 Contagious Interview campaign, and we first published about it in November 2023. Since that publication, we’ve observed additional online activity from the fake recruiters, as well as code updates to two pieces of malware associated with the campaign; the BeaverTail downloader and the InvisibleFerret backdoor.
The BeaverTail malware associated with this campaign has been compiled using the Qt framework as early as July 2024. We have observed multiple samples of BeaverTail that are compiled for both macOS and Windows platforms. In addition, we observed continuous code updates to the InvisibleFerret backdoor delivered by the BeaverTail downloader.
In this article, we will discuss the online activity of fake recruiters and technical details of the campaign, …
IoC
9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cf
de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
http://185.235.241.208
486a9a79bbb81abee2e81679ace6267c3f3e37d9b8c8074f9ec7aebc9be75cdd
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59
185.235.241.208
d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
34170bda5eb84d737577096438a776a968cb36eff88817f12317edcb9d144b35
ad8a819d7b68905fa6a8425295755c329504dd0bb48b2fba8dd17e54562b0c6f
9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
http://95.164.17.24:1224
http://95.164.17.24
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
4343fa4e313a61f10de08fa5b1b8acb98589faf5739ab5b606f540983b630f79
cde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfc
d0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999
8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dc
07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287
b9be6b0ac414ac2a033c17c3ac649417e97e5d0580db796a8ff55169299de50e
95.164.17.24
8563eecbc85a0c43b689b9d9f31fe5977e630c276dee0d7dbfe1a47ab1ab4550
a69e89a62203b8f2f89ec12a13e46c71b6b4d505deb19527ff73fd002df9bc6b
5e820d8b2bd139b3018574c349cd48ce77e7b31cf85e9462712167fcab99b30a
589e22005aa166b207a7aa7384dd3c7f90b71775688e587108801c3894a43358
e0568196f1494137a5bbee897a37bc4fe15f87175b57a30403450a88486190c4
d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
1c218d15b35b79d762b966db8bc2ca90fc62a95903bd78ac85648de1d828dbce
f08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7
6e065f1e4d1d8232da5de830d270a13fff8284a91e81c060377ebe66aa75d81d
de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170
http://185.235.241.208
486a9a79bbb81abee2e81679ace6267c3f3e37d9b8c8074f9ec7aebc9be75cdd
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59
185.235.241.208
d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
34170bda5eb84d737577096438a776a968cb36eff88817f12317edcb9d144b35
ad8a819d7b68905fa6a8425295755c329504dd0bb48b2fba8dd17e54562b0c6f
9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4
0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
http://95.164.17.24:1224
http://95.164.17.24
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0
4343fa4e313a61f10de08fa5b1b8acb98589faf5739ab5b606f540983b630f79
cde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfc
d0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999
8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dc
07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287
b9be6b0ac414ac2a033c17c3ac649417e97e5d0580db796a8ff55169299de50e
95.164.17.24
8563eecbc85a0c43b689b9d9f31fe5977e630c276dee0d7dbfe1a47ab1ab4550
a69e89a62203b8f2f89ec12a13e46c71b6b4d505deb19527ff73fd002df9bc6b
5e820d8b2bd139b3018574c349cd48ce77e7b31cf85e9462712167fcab99b30a
589e22005aa166b207a7aa7384dd3c7f90b71775688e587108801c3894a43358
e0568196f1494137a5bbee897a37bc4fe15f87175b57a30403450a88486190c4
d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
1c218d15b35b79d762b966db8bc2ca90fc62a95903bd78ac85648de1d828dbce
f08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7
6e065f1e4d1d8232da5de830d270a13fff8284a91e81c060377ebe66aa75d81d