- UNK_DeadDrop targets developers with email-based fake job lures
- The campaign mirrors Lazarus tactics, but uses new standalone payloads
- Proofpoint says shift to mass phishing shows industrialized NK operations
Lazarus isn’t the only North Korean threat actor luring software developers with fake jobs – there’s also a hacker group called UNK_DeadDrop now doing something similar, but with notable differences.
Security researchers at Proofpoint published an in-depth report looking at an ongoing campaign not unlike the Contagious Interview.
For those unfamiliar with Contagious Interview, it is one of two major Lazarus campaigns, the other being Operation DreamJob. The fraudsters would falsify everything – a company, its employees as well as projects, and then go to LinkedIn for a “hiring round”. They would reach out to software developers working in high-profile AI and Web 3 organizations and would offer high-paying jobs and a chance to work on exciting new projects.
Similarities and differences
However, the hiring process would include a trial task, which often required victims to run malicious code from GitHub. After infecting their target with infostealers, the crooks would gain access to company profiles, exfiltrate crypto wallet information, and then steal as many tokens as possible.
According to some sources, Lazarus alone was able to steal billions of dollars in crypto over the years.
While UNK_DeadDrop does more or less the same thing, its approach is somewhat different. Instead of using LinkedIn for initial contact, these attackers rely mostly on email. They don’t arrange fake interviews, but just send unsolicited job offers or code review requests. And finally, they use a new, standalone payload that differs from what was previously seen in Contagious Interview campaigns.
“UNK_DeadDrop activity suggests that North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint’s researchers concluded.
“The shift from active social engineering across social media platforms to conducting mock interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.”
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
