In a sophisticated cyber-espionage campaign, North Korean threat actors have been leveraging fake job interview processes to deploy malware disguised as legitimate applications.
According to recent analyses by cybersecurity researchers, malicious programs such as “ChromeUpdate,” “DriverEasy,” and “CameraAccess” are being utilized to steal sensitive user credentials and exfiltrate them to external servers, including Dropbox.
These applications are part of the broader “Contagious Interview” effort attributed to North Korea.
Malware Tactics and Techniques
The malware, written in Swift and Objective-C, is distributed under the guise of legitimate tools like Google Chrome updates.
Once installed, these applications simulate error prompts and request users to input their passwords under the pretense of authentication or system access.
For example, “DriverEasy” presents itself as a Google Chrome-related application, requesting microphone access and subsequently prompting users to enter their credentials.
Captured passwords are then uploaded to Dropbox using API tokens, with the malware employing OAuth 2.0 for secure communication.
Additionally, the malware queries public IP addresses via services like api.ipify.org and integrates mechanisms for handling JSON responses from Dropbox’s API to manage file uploads effectively.
Technical Analysis of DriverEasy
The “DriverEasy” application, first flagged on VirusTotal in early February 2025, has been identified as a key component of this campaign.
It uses Swift’s NSAlert framework to create convincing prompts for password collection.
The captured credentials are converted into Swift strings and stored in an array alongside Dropbox API tokens.
These tokens include:
- Refresh Token:
6Fyo4GM17QYAAAAAAAAAAZwaMDmZRa42SY0xrNpP8KpQWUiIDTSdCtEGn07cdRUQ - Client ID:
bz0fuof97upz7f3 - Client Secret:
A6qlr5u9828raxj
The malware then uses these tokens to authenticate with Dropbox and upload the stolen data under filenames such as “password.txt.”
The process includes checks for successful uploads by monitoring HTTP status codes.
Comparative analysis reveals that “DriverEasy,” “ChromeUpdate,” and “CameraAccess” share significant code overlap, particularly in their use of Dropbox API credentials and payload delivery mechanisms.
This indicates a coordinated effort by the same threat actor group.
Researchers have noted that these applications employ similar techniques for credential harvesting and data exfiltration.
This campaign underscores the growing sophistication of social engineering attacks targeting job seekers.
By exploiting trust in widely used platforms like Google Chrome, attackers are able to bypass traditional security measures.
Users are advised to exercise caution when downloading software from unofficial sources and verify the legitimacy of prompts requesting sensitive information.
Organizations should implement endpoint detection solutions capable of identifying anomalous behavior associated with such malware.
Furthermore, raising awareness about phishing schemes disguised as job offers can help mitigate risks associated with these campaigns.
As North Korea continues its cyber-espionage activities, understanding the technical intricacies of these attacks remains critical for developing robust defenses against emerging threats.
