Tech Job Seekers Beware, Threat Actors May Be At Play

Job-seeking individuals in the technology industry have a looming threat: cybercriminals posing as recruiters to install malware on their devices. In a recent malicious campaign, attackers targeted job-seekers on LinkedIn, luring them to download and execute malware that masquerades as a legitimate video call application.

These threat actors try to persuade the victims to download and install malware during an online interview that they invite the victim to take part in. Both Windows and macOS users were vulnerable as the attackers compiled BeaverTail malware variants for the two operating systems.

The malicious activity was tracked by Unit 42 of the cybersecurity company Palo Alto Networks.

Unit 42 first announced the activity in November 2023, and since then, there has been additional online activity from the fake recruiters, as well as code updates to two pieces of malware associated with the campaign: the BeaverTail downloader and the InvisibleFerret backdoor.

In a June 2024 article, a fake recruiter account reportedly contacted the writer over LinkedIn. After the attacker set up a technical interview online, he convinced the potential victim to execute malicious code. In this case, the potential victim purposefully ran the code in a virtual environment, which eventually connected back to the attacker's command and control server.

After the malicious applications are installed, BeaverTail executes its malicious code in the background, collecting data and exfiltrating it from the victim's host without any visible indicators. It can steal browser passwords in macOS, as well as cryptocurrency wallets in both macOS and Windows.

According to the report, the campaign appears to be financially motivated, since the BeaverTail malware has the capability of stealing 13 different cryptocurrency wallets. An additional significant risk associated with this campaign is the possibility of infiltration of the organisations that employ the job seekers targeted by fake recruiters.

Sensitive data may be collected and exfiltrated in the event that an infection on a company-owned endpoint—such as laptop/computer or virtual resources like cloud services or web-based applications—is effective.

After exfiltrating collected data, BeaverTail attempts to download the Python programming language to the infected machine. This is essential to executing the InvisibleFerret backdoor payload, which is written in Python.

The infection chain culminates in deploying the InvisibleFerret Python backdoor. This enables the attackers to maintain remote control of the machine by downloading AnyDesk and exfiltrate sensitive files.

Threat actors can further steal credentials from web browsers, which include usernames and passwords that users save on browsers to avoid having to manually enter every time, along with credit card information, the report noted.