- UNK_DeadDrop targets developers with fake job lures via email
- Campaign mirrors Lazarus tactics but uses new autonomous payloads
- Proofpoint says shift to mass phishing shows industrialization of NK operations
Lazarus is not the only North Korean threat actor luring software developers with fake jobs. There is also a hacker group called UNK_DeadDrop that now does a similar thing, but with notable differences.
Security researchers at Proofpoint have released an in-depth report on an ongoing campaign reminiscent of Contagious Interview.
For those unfamiliar with Contagious Interview, this is one of two major Lazarus campaigns, the second being Operation DreamJob. The scammers would fake everything: a company, its employees, and projects, then go to LinkedIn for a “hiring spree.” They would be aimed at software developers working in leading AI and Web 3 organizations and would offer well-paying jobs and the opportunity to work on exciting new projects.
Similarities and differences
The hiring process, however, would include a trial assignment, which often required victims to run malicious code from GitHub. After infecting their targets with information stealers, the scammers would access business profiles, exfiltrate information from the crypto wallet, and then steal as many tokens as possible.
According to some sources, Lazarus alone was able to steal billions of dollars in crypto over the years.
Although UNK_DeadDrop does more or less the same thing, its approach is somewhat different. Instead of using LinkedIn for the first contact, these attackers rely primarily on email. They don’t set up fake interviews, but just send unsolicited job offers or code review requests. And finally, they use a new standalone payload, distinct from what was previously seen in the Contagious Interview campaigns.
“UNK_DeadDrop activity suggests that North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint researchers concluded.
“The shift from active social engineering on social media platforms to conduct fake interviews to large recruitment-themed phishing email campaigns distributing links to malicious repositories could indicate that an actor is industrializing and expanding its operations.”
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
