From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West
Contents
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
SubscribeFrom Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West
Introduction
In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading financial sanctions against North Korea (DPRK). The Contagious Interview campaign focuses on stealing data, while WageMole uses that stolen data, along with other social engineering techniques, to help these threat actors land remote jobs.
Zscaler ThreatLabz recently discovered how the threat actors have continued to update their Contagious Interview campaign tactics by improving the obfuscation of their scripts with advanced techniques and dynamic loading. The threat actors also expanded their arsenal by supporting both Windows and macOS application formats in their infection chains, while keeping their core capabilities intact. By monitoring the installed BeaverTail (JavaScript) and InvisibleFerret (Python) …
Get the latest Zscaler blog updates in your inbox
SubscribeFrom Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West
Introduction
In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading financial sanctions against North Korea (DPRK). The Contagious Interview campaign focuses on stealing data, while WageMole uses that stolen data, along with other social engineering techniques, to help these threat actors land remote jobs.
Zscaler ThreatLabz recently discovered how the threat actors have continued to update their Contagious Interview campaign tactics by improving the obfuscation of their scripts with advanced techniques and dynamic loading. The threat actors also expanded their arsenal by supporting both Windows and macOS application formats in their infection chains, while keeping their core capabilities intact. By monitoring the installed BeaverTail (JavaScript) and InvisibleFerret (Python) …
IoC
https://www.linkedin.com/in/logan-collins-374404306
https://www.linkedin.com/in/frank-schoneberg-a089832a4/
https://www.linkedin.com/in/adam-song05/
https://www.linkedin.com/in/frank-schoneberg-a089832a4/
https://www.linkedin.com/in/adam-song05/