North Korean state-sponsored advanced persistent threat operation Famous Chollima, a division of the Lazarus Group, has been deceiving developers into renting their identities to power its IT worker scheme, reports BleepingComputer.ANY.RUN's sandbox services have allowed BCA LTD threat intelligence specialist Mauro Eldritch and NorthScan threat intelligence initiative's Heiner Garca to simulate a laptop farm honeypot responding to Famous Chollima's recruitment offer under the guise of U.S.-based developer Andy Jones. After several interactions, the North Korean agent sought to obtain 24/7 remote access to the laptop via AnyDesk, while offering Eldritch's persona a fifth of the salary in exchange for serving as a frontman for the fraudulent interviews.Further activity in the sandboxed environment showed remote connection from Astril VPN, which has been widely used in the North Korean fake IT worker campaign. Researchers were also able to discover attackers' usage of various AI-based extensions, OTP authentication extensions, and Google Remote Desktop as part of the operation.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds