ESET Research Uncovers Operation Aimed at Stealing Cryptocurrency Wallets and Login Information
In a recent discovery, ESET researchers have uncovered a malicious campaign dubbed “DeceptiveDevelopment,” targeting freelance software developers. This North Korea-aligned operation uses spearphishing tactics on job-hunting and freelancing sites to lure victims with fake job offers. The attackers pose as recruiters, enticing developers to download project files that are trojanized with infostealing malware.
The primary goal of DeceptiveDevelopment is to steal cryptocurrency wallets and login information from browsers and password managers. The operation employs two malware families: BeaverTail, an infostealer and downloader, and InvisibleFerret, an infostealer and Remote Access Trojan (RAT). These malware tools enable the attackers to extract sensitive information and gain remote access to compromised systems.
“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” concludes ESET researcher Matěj Havránek.
ESET researchers have observed that the attackers use fake recruiter profiles on social media platforms such as LinkedIn, Upwork, and Freelancer.com to approach their targets. They also post fake job listings on these platforms, aiming to compromise as many victims as possible. The attackers’ tactics include asking victims to take coding tests and download project files from private repositories on platforms like GitHub. Once the victims execute the trojanized files, their systems are compromised.
This campaign is part of a broader trend of North Korea-aligned cyber operations focusing on financial gain through cryptocurrency theft. The attackers’ techniques are similar to other known North Korea-aligned operations, highlighting the persistent threat posed by these actors.
ESET researcher Matěj Havránek, who made the discovery, explains, “As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to take a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim’s computer gets compromised.”
The DeceptiveDevelopment cluster adds to the growing list of money-making schemes employed by North Korea-aligned actors, shifting their focus from traditional money to cryptocurrencies. This ongoing trend underscores the importance of vigilance and cybersecurity awareness among freelance developers and job seekers in the tech industry.
