News
UNIT 42 research about North Korean Threat
November 2023 by Palo Alto Networks, l’Unit 42
Palo Alto Networks Unit 42 researchers issued research that reveals new evidence and insight to the ongoing efforts by North Korean threat actors. The research from Unit 42 builds on news from last month, providing new evidence and insight to the ongoing efforts by North Korean threat actors. The research explores two campaigns, “Contagious Interview” and “Wagemole,” that target job-seeking activities linked to state sponsors in North Korea.
The Unit 42 Research Highlights:
Campaign 1, Contagious Interview:
• North Korean threat actors are posing as employers, posting fictitious jobs, setting up interviews with software developers, and luring them to install malware during the interview process, to conduct theft for their sensitive data and financial information.
• Unit 42 found 2 new families of malware we named BeaverTail and InvisibleFerret. They are both cross-platform malware that can run on Windows, Linux and macOS to steal login credentials, credit card info stored in browsers, and cryptocurrency wallets
• This campaign is active.
Campaign 2, Wagemole:
• NK threat actors are seeking unauthorized employment with organizations based in the US and other parts of the world. The campaign represents an opportunity to embed insiders in targeted companies with potential for both financial gain and espionage. We found a trove of information from this campaign including:
• Resumes with different technical skill sets, multiple identities impersonating individuals from various nations, common job interview questions and answers, scripts for interviews, downloaded job postings from US companies, a scanned copy of a stolen US Permanent Resident Card.
• The tactics, techniques and procedures (TTPs) observed in both Contagious Interview and Wagemole align with previous activity attributed to North Korea state-sponsored APTs and remain a consistent threat.
