A North Korea-linked campaign used staged job interviews to deploy the InvisibleFerret malware targeting sectors related to technology, finance and cryptocurrency.
The attack tactic, termed as “Contagious Interview” or “DevPopper”, deceives software developers by pretending to have a real job interview while embedding malicious payloads into coding challenges, dependencies, and video call software. The campaign is an organised attempt by North Korea-linked threat actors to exploit high-value targets.
Security researcher Mauro Eldritch from ANY.RUN, published a technical analysis of the complex malware used in the staged job interviews such as InvisibleFerret and BeaverTail. The malware invades the user’s system and extracts sensitive data. The technique was previously used to spread QRLog and Docks /RustDoor.
“These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus,” Eldritch said.
BeaverTail is the JavaScript-based malware distributed as an NPM module and used in the first stage of the attack. It downloads a custom Python environment (p.zip) and runs the second Python-based malware, InvisibleFerret, which has advance capabilities.
InvisibleFerret looks for user credentials, cryptocurrency wallets, source code, and sensitive data. It searches through browser data, user clipboards, and file directories, including Documents and Downloads. It uses the File Transfer Protocol and encrypted connections to extract data, while files that do not match particular extensions are obfuscated via XOR encryption using a hardcoded key.
The malware uses legitimate APIs such as ip-api.com to perform system profiling. It executes routines to extract data from the browser and its extensions, putting user profiles, browsing history, passwords and cookies at risk.
The malware can access and steal data from browser extensions linked to crypto wallets and password managers. It remains in the infected system without being detected by downloading and running legitimate software such as AnyDesk. The malware uses an additional data channel on Telegram to send the victim’s data to an attacker using the platform’s Bots API.
The attack chain of InvisibleFerret was analysed through the ANY.RUN interactive Malware analysis platform. At the end of the attack sequence, it connects to Command-and-Control (C2) servers to send all the collected data to the threat actor. The researchers recommended checking the authenticity of the job interview when asked to download software or perform a coding test. Downloading and installing software from unknown sources on company equipment should be avoided to guard against such attack tactics.
In the News: Trump pardons Silk Road creator Ross Ulbricht