CTI Roundup: Multiple Cyber Threats from North Korean Groups and a Telegram Bot Phishing Scam
North Korean hackers pose as job seekers and recruiters, the Telekopye Telegram bot enables large-scale phishing scams, and DPRK-aligned threat actors target macOS in two campaigns
In this week’s roundup, CTI investigates two separate campaigns involving North Korean threat actors posing as job seekers and recruiters. Next is an update on the malicious Telegram bot known as Telekopye and its operators. Finally, CTI explores how North Korean-aligned threat actors recently carried out two large campaigns targeting macOS including RustBucket and KandyKorn.
1. Hackers pose as job seekers and recruiters
Researchers are linking North Korean threat actors to two campaigns where they pose as both job seekers and recruiters to distribute malware.
Here is a closer look at both campaigns.
The first campaign: Contagious Interview
In the first campaign, dubbed Contagious Interview, threat actors pose as employers and lure software developers into installing malware through the interview process. Palo Alto discovered related suspicious activity dating back as early as March 2023, with the infrastructure for the campaign being established as early as December 2022.
Based on the names of the malware associated with this campaign, researchers believe the threat actor tends to impersonate legitimate artificial intelligence, cryptocurrency and NFT-related companies, or recruitment agencies.
After making contact, the threat actor invites the victim to participate in an online interview. During the interview, they attempt to convince the victim to download and install a malicious NPM package hosted on GitHub that is likely presented as software to be reviewed or analyzed as part of the interview. The package contains malicious JavaScript and will infect the victim’s host with backdoor malware. This malicious NPM package contains JavaScript for a newly discovered malware named BeaverTail.
- BeaverTail malware is both an information stealer and a loader. It targets cryptocurrency wallets and credit card information that is stored in the web browser. It will also retrieve and run the next stage of the malware known as InvisibleFerret.
The malware requires manual interaction to execute due to its dependency on the Node.js environment, helping it to evade detection. Once installed on Windows, Linux, or macOS, it will collect basic system information and search for browser extensions associated with cryptocurrency wallets.
- InvisibleFerret malware is retrieved and executed by BeaverTail NPM packages. It is a cross-platform Python malware that is capable of fingerprinting, remote control, keylogging, data exfiltration, stealing from browsers, and downloading the AnyDesk client.
The second campaign: Wagemole
In the second campaign, the threat actors seek unauthorized employment with organizations for financial gain and espionage. This campaign, dubbed Wagemole, is believed to have started back in August 2022.
Researchers pivoted to GitHub infrastructure associated with the Contagious Interview campaign, discovering an entirely different GitHub repository on a different account. The account housed files including resumes with fake identities frequently asked job interview questions and answers, self-introduction scripts, copies of IT job openings from U.S. companies, a scanned copy of a stolen U.S. Permanent Resident Card, and a list of unidentified seller contacts.
Each fake resume in the GitHub repository had a different U.S. phone number for personal contact with some including links to a LinkedIn profile and/or GitHub content that is regularly maintained with a lengthy activity history. The fraudulent job seekers maintain multiple accounts for email, freelance websites, source code repositories, and job agency platforms.
Analyst comments from Tanium’s Cyber Threat Intelligence team
The Contagious Interview campaign aligns with many others carried out by North Korean-affiliated threat actors that imitate recruiters and attempt to infect job seekers with malware.
The latter campaign, however, seems to flip the script and have threat actors attempt to apply for and accept job offers at various companies. This campaign is less technically oriented and instead trains threat actors with the basics of how to use fake resumes and respond to interview questions to land a legitimate job and carry out espionage-related activity. Fake identities are increasingly becoming a concern on platforms like LinkedIn because of how easy it is to create a fake persona for remote work.
2. Telekopye Telegram bot enables large-scale phishing scams
New details are available about Telekopye, a malicious Telegram bot that threat actors use to craft phishing emails, websites, SMS messages, and more.
The threat actors behind the operation, codenamed Neanderthals, run the operation as a legitimate company with a hierarchical structure of members taking on various roles.
How Neanderthals join a group
Telekopye recruits new Neanderthals with advertisements across various channels, including underground forums. The advertisements are very direct and note the purpose of hire being to scam online marketplace users.
Aspiring Neanderthals must fill out an application citing where they have learned about Telekopye and what experience they have. After gaining approval, the Neanderthal can begin using Telekopye and join two channels including a group chat where they can communicate with each other and access rules and manuals, and a separate channel where transaction logs live.
Types of Telekopye scams
There are three main scam scenarios carried out by Telekopye, including the seller scam, buyer scam, and refund scam.
- Seller scam: In this scam, the Neanderthal poses as a seller and tries to trick users into buying and paying for a non-existent item. The user receives a link to a phishing website that is created by Telekopye. The link mimics a payment page of the legitimate online marketplace but asks for an online banking login, credit card details, or other sensitive information.
- Buyer scam: Here the Neanderthal poses as the buyer. They will show interest in an item that is being sold and claim that they already paid for it. The Neanderthal sends the seller emails or text messages that are created by Telekopye with a link to a phishing site that claims it must be clicked for the seller to receive their money from the platform. The rest of the scam is very similar to the seller scam.
- Refund scam: The Neanderthal will create a situation where the seller is anticipating a refund. They will then send a phishing email with a link to another phishing site that serves the same purpose as the previous scams. The Neanderthal will either send this email to sellers they did not previously contact, expecting them to be greedy and collect the refund, or they will combine this with the seller scam scenario. With the latter, when the buyer claims they did not receive the item they purchased, the Neanderthal will send them refund phishing emails to scam them for a second time.
Analyst comments from Tanium’s Cyber Threat Intelligence team
As ESET points out, online marketplace scams are likely not going away any time soon. This operation relies heavily on a Neanderthal’s ability to gain the trust of their victim before attempting to buy, sell, or refund items.
This businesslike setup of the operation is interesting, as they only seek out those who are truly qualified for the job, with the ability to establish trust with the victims in various languages.
3. DPRK-aligned threat actors target macOS in two campaigns
North Korean-aligned threat actors have carried out two large campaigns targeting macOS so far this year including RustBucket and KandyKorn. The threat actors now appear to be mixing and matching components from the two operations.
About RustBucket and KandyKorn
The original RustBucket campaign first appeared in April 2023, using a second-stage malware known as SwiftLoader. This malware functioned externally as a PDF viewer for a lure document that was sent to targets. It was responsible for retrieving and executing an additional stage of malware written in Rust.
The KandyKorn campaign was a much more elaborate multi-stage operation. It targeted blockchain engineers of a crypto exchange platform and used Python scripts to drop malware that hijacked the host’s installed Discord application. It also delivered a backdoor Remote Access Trojan (RAT) called KandyKorn.
Research from late October 2023 detailed a campaign carried out by DPRK-aligned threat actors that involved a five-stage attack. The attack began with social engineering that would trick Discord users into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot. This Python app was delivered as Cross-Platform Bridges.zip and included several benign Python scripts.
Recent RustBucket activity
At first glance, the RustBucket campaign appears to be an entirely different campaign. It first involved a first-stage AppleScript applet and a Swift-based application bundle called “Internal PDF Viewer.app” that used specially created PDFs to unlock code to download a Rust-based payload. Several other RustBucket variants have been observed in the wild since the first RustBucket campaign along with several variants of the Swift-based stager that have collectively been dubbed SwiftLoader.
SwiftLoader’s connection to KandyKorn
Multiple versions of SwiftLoader have been observed in the wild. One version is distributed in a lure called “crypto-assets and their risks for financial stability[.]app[.]zip.” The application is signed and notarized by Apple, the bundle identifier is com.EdoneViewer, and the main executable is EdoneViewer. This version of SwiftLoader has some interesting overlaps with the KandyKorn operation.
Analysis of the main executable, EdoneViewer, shows it contains a hardcoded URL. The malware will reach out to a specific domain and drop a hidden executable at /users/shared/.pw. The KandyKorn Python script reached out for its next stage to malware hosted on a similar domain and dropped hidden files in a similar location. Similarly, a KandyKorn RAT variant was discovered with the same file name as a file SwiftLoader retrieved from its C2.
Analyst comments from Tanium’s Cyber Threat Intelligence team
Sentinel One’s analysis makes connections between two previously reported campaigns carried out by North Korean-aligned threat actors.
Their findings reveal that threat actors are probably sharing RustBucket droppers and KandyKorn payloads. While their analysis does not reveal many new TTPs, it does highlight how common it is for threat actors to share malware, thus enhancing their overall maturity.
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.