The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor.
Slovak cybersecurity firm ESET, which is tracking the activity under the name DeceptiveDevelopment, said the campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. It’s also referred to as DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
“DeceptiveDevelopment’s toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET,” ESET researchers Peter Kálnai and MatÄ›j Havránek said in a report shared with The Hacker News.
The campaign essentially involves the impersonated recruiters offering what appear to be lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. After initial outreach, should the prospective target express interest in the opportunity, they are either asked to complete a video assessment by clicking on a link or a coding exercise.
The programming assignment requires them to clone projects hosted on GitHub, which silently install malware. On the other hand, websites explicitly set up for undertaking the so-called video assessment display non-existent errors related to camera or microphone access being blocked, and urge them to follow ClickFix-style instructions to rectify the problem by either launching the command prompt or the Terminal app, depending on the operating system used.
Irrespective of the method employed, the attacks have been generally found to deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost (aka FlexibleFerret or WeaselStore), and PylangGhost.
“WeaselStore’s functionality is quite similar to both BeaverTail and InvisibleFerret, with the main focus being exfiltration of sensitive data from browsers and cryptocurrency wallets,” ESET said. “Once the data has been exfiltrated, WeaselStore, unlike traditional infostealers, continues to communicate with its C&C server, serving as a RAT capable of executing various commands.”
Also deployed as part of these infection sequences are TsunamiKit, PostNapTea, and Tropidoor, the first of which is a malware toolkit delivered by InvisibleFerret and is designed for information and cryptocurrency theft. The use of TsunamiKit was first discovered in November 2024.
The toolkit comprises several components, the starting point being the initial stage TsunamiLoader that triggers the execution of an injector (TsunamiInjector), which, in turn, drops TsunamiInstaller and TsunamiHardener.
While TsunamiInstaller acts as a dropper of TsunamiClientInstaller that then downloads and executes TsunamiClient, TsunamiHardener is responsible for…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
