North Korean state-sponsored threat actors are once again setting up fake job interviews in a bid to infect unsuspecting victims with infostealing malware – but this time around, they are focusing on Apple users.
Cybersecurity researcher Patrick Wardle recently discovered a new variant of BeaverTail, a known infostealer capable of grabbing sensitive information from web browsers (including Google Chrome, Brave, and Opera), cryptocurrencies, login credentials, iCloud Keychain, and more. BeaverTail can also serve as a dropper, deploying the InvisibleFerret backdoor for persistent remote access.
The malware was given a filename “MiroTalk.dmg”, in an attempt to have people thinking they were downloading the MiroTalk video call service. DMG is an Apple macOS disk image file.
“Wily bunch”
“If I had to guess, the DPRK hackers likely approached their potential victims, requesting that they join a hiring meeting, by downloading and executing the (infected version of) MiroTalk hosted on mirotalk[.]net,” Wardle said.
This is not the first time North Korean hackers were observed running fake job campaigns. The infamous Lazarus group was seen doing it on multiple occasions, and at one point, it even managed to steal around $600 million from a cryptocurrency bridge project, after tricking a developer this way.
What makes this campaign interesting is that previously BeaverTail was distributed via malicious npm packages hosted on GitHub and npm.
“The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive),” Wardle said.
In other words, the best way to remain secure is to be wary of incoming job offers, especially if they sound too good to be true. Whenever someone reaches out, either via LinkedIn or elsewhere, always do your due diligence and run a background check on the company that’s hiring and the people running the hiring process.
Via TheHackerNews
