Multiple backdoors spread in North Korean attacks against crypto developers

Intrusions deploying various backdoors have been launched by North Korean state-backed hacking operation DeceptiveDevelopment, also known as Famous Chollima, UNC5342, and Tenacious Pungsan, against cryptocurrency developers around the world as part of a Contagious Interview campaign, The Hacker News reports.

Attackers impersonating recruiters across various job search platforms have been luring targets into completing video assessments or coding exercises that trigger ClickFix instructions or the covert delivery of multiple payloads, an analysis from ESET researchers revealed.

Aside from distributing the InvisibleFerret, OtterCookie, BeaverTail, PylangGhost, and GolangGhost malware, DeceptiveDevelopment also spread the TsunamiKit, PostNapTea, and TropiDoor payloads, with the latter being the group's most advanced yet due to development by Lazarus hackers. Another Lazarus-linked malware distributed in such attacks is the AkdoorTea remote access trojan.

"DeceptiveDevelopment's TTPs illustrate a more distributed, volume-driven model of its operations. Despite often lacking technical sophistication, the group compensates through scale and creative social engineering," said ESET.

Such findings follow a Trellix report detailing North Korean IT worker fraud against a U.S. healthcare firm.