North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign
Contents
North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign
On December 28, 2024, @tayvano_ shared a great thread on X describing activity consistent with what is typically known as the “Contagious Interview” campaign conducted by North Korea-nexus threat actors. In the activity, victims were contacted via platforms such as LinkedIn and were offered a job interview. Victims were sent a link to sites impersonating the legitimate Willo candidate screening site. The fake sites eventually displayed a fake error and provided users with a malicious fix, such as the following command. The victims are lured into copying/pasting the command on their devices, triggering the download and installation of the payload. This type of activity has been very common in the cybercrime scene in the last year, typically leading to RATs, and lately to LummaC2 Stealer. The Contagious Interview activity, though, has a different intent. It is typically conducted to drain cryptocurrency wallets. There …
On December 28, 2024, @tayvano_ shared a great thread on X describing activity consistent with what is typically known as the “Contagious Interview” campaign conducted by North Korea-nexus threat actors. In the activity, victims were contacted via platforms such as LinkedIn and were offered a job interview. Victims were sent a link to sites impersonating the legitimate Willo candidate screening site. The fake sites eventually displayed a fake error and provided users with a malicious fix, such as the following command. The victims are lured into copying/pasting the command on their devices, triggering the download and installation of the payload. This type of activity has been very common in the cybercrime scene in the last year, typically leading to RATs, and lately to LummaC2 Stealer. The Contagious Interview activity, though, has a different intent. It is typically conducted to drain cryptocurrency wallets. There …
IoC
https://www.api.camera-drive.cloud/result/VCam_intel.zip
https://api.nvidia-cloud.online/VCam1.update
https://api.jz-aws.info/public/images/
http://216.74.123.191:8080
https://api.nvidia-cloud.online/VCam2.update
216.74.123.191
7A2DEA687C9AB3A86A82893014C926BBB82ECD27B446197559F7512DE9025DA5
60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7
b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6
B4B0E19A98DEECCC9F9F7DC5F18999C1F2EAAE668F7968C96F7B1CB89C9B0FBD
https://api.nvidia-cloud.online/VCam1.update
https://api.jz-aws.info/public/images/
http://216.74.123.191:8080
https://api.nvidia-cloud.online/VCam2.update
216.74.123.191
7A2DEA687C9AB3A86A82893014C926BBB82ECD27B446197559F7512DE9025DA5
60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7
b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6
B4B0E19A98DEECCC9F9F7DC5F18999C1F2EAAE668F7968C96F7B1CB89C9B0FBD