The article discusses the malicious DriverEasy application attributed to North Korea’s “Contagious Interview” effort, which aims to capture user passwords through fake prompts. It highlights the application’s mechanisms, including its uploading of captured credentials to Dropbox. The article compares DriverEasy with related applications ChromeUpdate and CameraAccess, indicating commonalities in their functionality and attack strategies. Affected: North Korean threat actors, macOS users, Dropbox API
Keypoints :
- DriverEasy app mimics a legitimate Google application to trick users into entering their passwords.
- The application captures passwords and uploads them to Dropbox using API calls.
- MalwareHunterTeam identified DriverEasy in early February 2025.
- Application contains a series of fake prompts to obtain sensitive user information.
- DriverEasy’s functionality is similar to other tools like ChromeUpdate and CameraAccess.
- Static analysis revealed the use of Swift and Objective-C in its development.
- The analysis includes a detailed breakdown of how the captured passwords are handled and transmitted.
MITRE Techniques :
- T1609 – Data from Local System: DriverEasy captures users’ passwords using prompts.
- T1071 – Application Layer Protocol: Utilizes Dropbox API for communication.
- T1056 – Input Capture: Prompts are used to capture authentication credentials from users.
- T1030 – Data Transfer Size Limits: The password is transmitted in a limited-sized payload to Dropbox.
Indicator of Compromise :
- [SHA256] e1bdb6a878dc5a81a74f7178259571d6c1c89fd8163185e6ccc61732d64b6338
- [SHA256] B72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6
- [SHA256] 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a
- [Token] refresh_token = “6Fyo4GM17QYAAAAAAAAAAZwaMDmZRa42SY0xrNpP8KpQWUiIDTSdCtEGn07cdRUQ”
- [Token] client_id = “bz0fuof97upz7f3”
Full Story: https://blog.kandji.io/drivereasy