From 9 to 13 Different Wallets: Fake Web3 Job Recruiters Update Their Crypto-Stealing Malware

Fake Web3 job recruiters associated with North Korea target job-seekers online, tricking them into downloading malware that masquerades as a video call application – stealing their crypto.

According to the latest report from cyber risk team Unit 42 by major cybersecurity company Palo Alto, the novel variant of a previously discovered malware targets both Windows and macOS.

Notably, it is now capable of stealing cryptocurrency from 13 different wallets, including MetaMask, BNB Chain, Exodus, Phantom, TronLink, Crypto.com, and more.

The researchers argue that these are North Korean threat actors who are likely financially motivated, working to support the Democratic People’s Republic of Korea (DPRK) regime.

How It Works

The attackers target tech industry job seekers’ devices.

They contact software developers through job search platforms and invite them to an online interview.

The attacker will then work to convince the developer to download and install malware presented as a video chat app.

Once the victim executes the malicious code, it starts working in the background to collect data and digital funds.

Let’s check out some of the many examples.

In June 2024, a Medium article warned about fake recruiters on GitHub and LinkedIn Premium. Specifically, author Heiner named “Onder Kayabasi” as the account that contacted the writer over LinkedIn.

The LinkedIn account is no longer available, but there is a similar Twitter account that is still live at the time of writing.

These social engineering and fraud campaigns “aim to infect, steal information and cryptocurrencies from people, particularly developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains,” Heiner wrote.

Full Stack Software Engineer Richard Chang had already reported the account as a fake recruiter. He intentionally ran the code in a virtual environment “because you should NEVER run random code that you do not understand from a suspicious party.”

Kayabasi “was not happy,” Chang wrote.

Though indeed “evil,” the code was “surprisingly sophisticated,” he added.

From 9 to 13 Wallets

Unit 42 has been tracking activity by these actors for a while now, first writing about this aptly named “Contagious Interview campaign” in November 2023.

Since then, however, the activities continued with newer iterations.

Specifically, the researchers noted code updates to two pieces of malware: the BeaverTail downloader and the InvisibleFerret backdoor.

BeaverTail, downloader and infostealer, is the initial malware. It executes its malicious code in the background without any visible indicators.

The newer version of the BeaverTail malware has been introduced as early as July 2024.

The attackers used the cross-platform framework called Qt, which allows developers to create cross-platform applications.

This means that the attackers can use the same source code to compile applications for Windows and macOS simultaneously, the report explained.

Additional features in this new Qt version of BeaverTail include stealing browser passwords in macOS and stealing cryptocurrency wallets in both macOS and Windows.

“This last feature is consistent with the ongoing financial interests of North Korean threat actors,” said the report.

Importantly, this newer Qt version targets 13 different crypto wallet browser extensions, compared to the previously recorded 9 wallets.

“Of the current 13 extensions, the authors added 5 for new wallets, and removed one,” researchers said.

These include MetaMask, BNB Chain, Exodus, Phantom, TronLink, Crypto.com, Coin98, Kaikas, Rabby, and Argent X – Starknet.

After this step, the attackers will attempt to execute the InvisibleFerret backdoor. Its components include a fingerprint, remote control, and information stealer, as well as a browser stealer.

This move allows the attackers to maintain control of the device and exfiltrate sensitive data.

Another major risk, according to the report, is the potential infiltration of the companies that employ the targeted job seekers.

“A successful infection on a company-owned endpoint could result in collection and exfiltration of sensitive information,” they stressed.

Unit 42 advises individuals and organizations to be aware of these advanced social engineering campaigns.

Therefore, in its report, Unit 42 offers protection and mitigation measures.