DPRK's Willo Impersonation Campaign
Contents
Who is Contagious Interview?
Contagious Interview is a DPRK-affiliated threat actor which has been tracked since December 2022. They have been associated with using “skills tests” during fake job interview processes (hence the name), or offers of freelance development work, to socially engineer victims working in the cryptocurrency industry into installing BeaverTail infostealer malware onto their devices. Malicious JavaScript/Node.js code has been typically provided to the victim via Github, Bitbucket, or providing a .zip directly or through GDrive.
The malware itself is primarily used to target any cryptoassets possible - typically any active browser or desktop wallets on the infected device are drained shortly after install. The BeaverTail malware also acts as a loader for a second malicious payload, often backdoor malware known as InvisibleFerret, which is used to further compromise the victim’s device and allow further payloads to be delivered in the future as required. The attackers will then look to …
Contagious Interview is a DPRK-affiliated threat actor which has been tracked since December 2022. They have been associated with using “skills tests” during fake job interview processes (hence the name), or offers of freelance development work, to socially engineer victims working in the cryptocurrency industry into installing BeaverTail infostealer malware onto their devices. Malicious JavaScript/Node.js code has been typically provided to the victim via Github, Bitbucket, or providing a .zip directly or through GDrive.
The malware itself is primarily used to target any cryptoassets possible - typically any active browser or desktop wallets on the infected device are drained shortly after install. The BeaverTail malware also acts as a loader for a second malicious payload, often backdoor malware known as InvisibleFerret, which is used to further compromise the victim’s device and allow further payloads to be delivered in the future as required. The attackers will then look to …
IoC
http://videoscreening.org
http://willohiring.com
http://willohiringtalent.org
http://willotalent.xyz
https://www.willo.video/
http://wtalents.us
http://willocandidate.com
http://willohire.com
http://willo-interview.us
http://fundcandidates.com
http://hiringinterview.org
http://willomexcvip.us
http://crypto-assessment.com
http://willoassess.com
http://willointerview.com
http://wilio-talent.net
http://willoassessment.com
http://willorecruit.com
http://willotalent.pro
http://willotalent.us
http://willotalents.org
http://willotalant.com
http://blockchain-assess.com
http://willoassess.net
http://willoassess.org
http://willotalents.com
http://interviewnest.org
http://willotalentes.com
http://wiilotalent.com
e52118fc7fc9b14e5a8d9f61dfae8b140488ae6ec6f01f41d9e16782febad5f2
c0baa450c5f3b6aacde2807642222f6d22d5b4bb
86dea05a8f40cf3195e3a6056f2e968c861ed8f1
3405469811bae511e62cb0a4062aadb523cad263
c6472eb993612db72ca50893a34137ba11173e60a1a4c028d4660a3f755d2490
d05f805d172583f1436eac2cfddcc5413ef6be0b37eda98ebca0cb0cfae8ad9e
a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361
321972e4e72c5364ec1d5b9e488d15c641fb1819
96e78074218a0f272f7f94805cabde1ef8d64ffb
http://willohiring.com
http://willohiringtalent.org
http://willotalent.xyz
https://www.willo.video/
http://wtalents.us
http://willocandidate.com
http://willohire.com
http://willo-interview.us
http://fundcandidates.com
http://hiringinterview.org
http://willomexcvip.us
http://crypto-assessment.com
http://willoassess.com
http://willointerview.com
http://wilio-talent.net
http://willoassessment.com
http://willorecruit.com
http://willotalent.pro
http://willotalent.us
http://willotalents.org
http://willotalant.com
http://blockchain-assess.com
http://willoassess.net
http://willoassess.org
http://willotalents.com
http://interviewnest.org
http://willotalentes.com
http://wiilotalent.com
e52118fc7fc9b14e5a8d9f61dfae8b140488ae6ec6f01f41d9e16782febad5f2
c0baa450c5f3b6aacde2807642222f6d22d5b4bb
86dea05a8f40cf3195e3a6056f2e968c861ed8f1
3405469811bae511e62cb0a4062aadb523cad263
c6472eb993612db72ca50893a34137ba11173e60a1a4c028d4660a3f755d2490
d05f805d172583f1436eac2cfddcc5413ef6be0b37eda98ebca0cb0cfae8ad9e
a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361
321972e4e72c5364ec1d5b9e488d15c641fb1819
96e78074218a0f272f7f94805cabde1ef8d64ffb