Cybercriminals, under the guise of recruiters, have targeted freelance software developers in a deceptive malware campaign named DeceptiveDevelopment. This campaign, linked to North Korea, has been promoting fake job offers that lead to the installation of malware during the application process. The operators primarily utilize two malware families — BeaverTail and InvisibleFerret — to steal sensitive information and cryptocurrency. Affected: software developers, cryptocurrency users, job-hunting platforms
Keypoints :
- Cybercriminals pose as recruiters to entice freelance software developers through fake job offers.
- The campaign’s operators use malicious coding tests hosted on platforms like GitHub to distribute malware.
- The primary threat actors are linked to North Korea and target victims globally, without geographical limitations.
- Two malware families — BeaverTail and InvisibleFerret — are used to steal sensitive information like cryptocurrency wallets and browser logins.
- Job-hunting platforms such as LinkedIn and Upwork are common channels for these attacks.
MITRE Techniques :
- Resource Development: T1583.003 – Acquire Infrastructure: Virtual Private Server: The attackers rent out infrastructure for C&C and staging servers.
- Initial Access: T1566.003 – Phishing: Spearphishing via Service: Spearphishing via job-hunting and freelancing platforms.
- Execution: T1059.006 – Command-Line Interface: Python: InvisibleFerret is executed via Python.
- Persistence: T1133 – External Remote Services: Persistent access is achieved by installing AnyDesk.
- Credential Access: T1555.001 – Credentials from Password Stores: Keychain data is exfiltrated using both malware families.
Indicator of Compromise :
- [SHA-1] 48E75D6E2BDB2B00ECBF4801A98F96732E397858
- [SHA-1] EC8B6A0A7A7407CA3CD18DE5F93489166996116C
- [SHA-1] F6517B68F8317504FDCD415653CF46530E19D94A
- [IP Address] 95.164.17[.]24
- [Domain] mirotalk[.]net
Full Story: https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/