- UNK_DeadDrop targets developers with fake email-based job lures
- Campaign mirrors Lazarus tactics but uses new autonomous payloads
- Proofpoint Says Shift Toward Mass Phishing Shows Industrialized NK Operations
Lazarus is not the only North Korean threat actor luring software developers with fake jobs; There is also a hacker group called UNK_DeadDrop that now does something similar, but with notable differences.
Security researchers at Proofpoint released an in-depth report analyzing an ongoing campaign similar to Contagious Interview.
For those unfamiliar with Contagious Interview, it is one of Lazarus’ two major campaigns, the second being Operation DreamJob. Criminals would fake everything: a company, its employees, and also projects, and then go to LinkedIn to “hire people.” They would approach software developers working in high-profile AI and Web 3 organizations and offer high-paying jobs and the opportunity to work on new and interesting projects.
Similarities and differences
However, the hiring process would include a testing task, which often required victims to run malicious code from GitHub. After infecting their targets with information stealers, criminals would access company profiles, exfiltrate crypto wallet information, and then steal as many tokens as possible.
According to some sources, Lazarus alone was able to steal billions of dollars in cryptocurrency over the years.
While UNK_DeadDrop does more or less the same thing, its approach is somewhat different. Instead of using LinkedIn for initial contact, these attackers rely primarily on email. They do not set up fake interviews, but simply send unsolicited job offers or code review requests. And finally, they use a new payload independent of what was previously seen in contagious interview campaigns.
“UNK_DeadDrop activity suggests that North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint researchers concluded.
“The shift from active social engineering to social media platforms to conduct fake interviews to large recruiting-themed phishing email campaigns that distribute links to malicious repositories could indicate that an actor is industrializing and scaling up operations.”
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
