Summary:
Unit 42 researchers have identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks through malware-infected video conferencing applications. Operating from Laos, this cluster has exploited a U.S.-based IT services company to apply for jobs, indicating a shift towards more aggressive malware campaigns linked to North Korea’s illicit activities, including WMD programs. Organizations are advised to enhance hiring processes and monitoring to mitigate these risks.
Keypoints:
- CL-STA-0237 is a North Korean IT worker activity cluster involved in phishing attacks.
- The cluster operates from Laos using Lao IP addresses and identities.
- CL-STA-0237 exploited a U.S.-based IT services company to apply for jobs.
- In 2022, CL-STA-0237 secured a position at a major tech company.
- The cluster is part of a broader network supporting North Korea’s illicit activities.
- Organizations should strengthen hiring screening processes and monitor for insider threats.
- North Korean IT workers have transitioned from stable income-seeking activities to aggressive malware campaigns.
- New tactics involve fake video conferencing websites to deliver malware during job interviews.
- CL-STA-0237 managed multiple fake identities and resumes.
- Evidence suggests a possible physical presence of CL-STA-0237 in Laos.
- Attribution of the Contagious Interview campaign may link to the Lazarus group.
- North Korean threat actors have been successful in generating revenue for illicit activities.
MITRE Techniques
- Phishing (T1566): Utilizes fake job offers and video conferencing to lure victims into downloading malware.
- Credential Dumping (T1003): Likely involved in stealing access credentials from the exploited IT services company.
- Remote Access Tools (T1219): Deployment of BeaverTail and InvisibleFerret malware for remote access.
IoC:
- [Domain] effertz-carroll[.]com
- [Domain] regioncheck[.]net
- [Domain] freeconference[.]io
- [Domain] ipcheck[.]cloud
- [Domain] mirotalk[.]io
- [Domain] mirotalk[.]net
- [Domain] ftpserver0909[.]com
- [IP Address] 167.88.36[.]13
- [Email] adonis_eros@outlook[.]com
- [Email] brightstar1116@outlook[.]com
- [Email] buyerlao@outlook[.]com
- [Email] casey_qadir@outlook[.]com
- [Email] cescernand@outlook[.]com
- [Email] devstar1116@gmail[.]com
- [Email] ebcappservices@gmail[.]com
- [Email] hakajakin@outlook[.]com
- [Email] ideationbrand@gmail[.]com
- [Email] legend_dev@outlook[.]com
- [Email] liko.sonexarth@gmail[.]com
- [Email] liko.sonexarth@hotmail[.]com
- [Email] longines0924@gmail[.]com
- [Email] lujindane@outlook[.]com
- [Email] matthewhall14541@gmail[.]com
- [Email] niko.sonexarth@gmail[.]com
- [Email] niko.sonexarth@hotmail[.]com
- [Email] oscar.vetres127@europe[.]com
- [Email] oscar.vetres127@gmail[.]com
- [Email] pinefirst@outlook[.]com
- [Email] reply9998@gmail[.]com
- [Email] richard.stewart.1202@gmail[.]com
- [Email] richard.stewart.1202@outlook[.]com
- [Email] sniper_bruce@outlook[.]com
- [Email] stp.walsh33@gmail[.]com
- [Email] techcare127@gmail[.]com
- [Email] truepai415@gmail[.]com
- [Email] truestar222@outlook[.]com
- [Email] volodimir.work2020@gmail[.]com
- [Email] zhangming_k@yahoo[.]com
- [Email] zhuming1116@gmail[.]com
- [Email] lisettekolson8@gmail[.]com
- [Email] 312011217@qq[.]com
- [Email] alhinglovena3000@gmail[.]com
- [Email] jumphon2103@gmail[.]com
- [Email] mobilephetjum@gmail[.]com
- [Email] phetchamphone1998@gmail[.]com
Full Research: https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/