Beware of North Korean Job Interview Process Delivers Malware Via Fake Chrome Update

A new malware campaign attributed to North Korean threat actors has been identified, targeting individuals through fake job interview processes.

Dubbed “Contagious Interview,” this operation delivers malicious Swift applications disguised as legitimate software updates, including a recently discovered “DriverEasy.app” masquerading as a Google Chrome security component.

The malware leverages social engineering to steal user credentials, continuing North Korea’s pattern of exploiting human trust in cybersecurity systems.

Researchers at SentinelOne and Kandji Labs have uncovered technical connections to previously documented campaigns like “Flexible Ferret” and “ChromeUpdate,” confirming an evolving toolkit designed for credential harvesting.

Analysis of DriverEasy.app Malware

The malicious DriverEasy.app (SHA256: e1bdb6a878dc5a81a74f7178259571d6c1c89fd8163185e6ccc61732d64b6338) uses Swift and Objective-C code to create sophisticated fake prompts.

The application bundle (Chrome.DriverEasy) mimics Google Chrome’s branding and triggers a multi-stage attack.

The malware first displays an NSAlert prompt claiming “Google Chrome would like to access your webcamera” .

This prompt uses a microphone icon to enhance credibility. If the user clicks “Allow,” the malware proceeds to a second prompt: an NSSecureTextField dialog titled “Authentication Required,” which captures the victim’s password.

swift // NSAlert prompt creation for microphone access struct objc_object* NSAlert = -[_TtC10DriverEasy230verlayWindowController init](...); int64_t accessRequest = String._bridgeToObjectiveC()("Google Chrome would like to access your webcamera."); _objc_msgSend(NSAlert, "setMessageText:", accessRequest);

Captured passwords are encrypted and transmitted to Dropbox using hardcoded OAuth 2.0 credentials:-

• refresh_token: "6Fyo4GM17QYAAAAAAAAAAZwaMDmZRa42SY0xrNpP8KpQWUiIDTSdCtEGn07cdRUQ"
• client_id: "bz0fuof97upz7f3"
• client_secret: "a6qlr5u9828raxj"

The malware verifies the victim’s public IP via api.ipify.org before invoking Dropbox’s /2/files/upload endpoint. This ensures payloads only activate in targeted geographical regions.

DriverEasy.app employs Swift string obfuscation, storing critical payloads as structs to evade static analysis.

Small strings (≤15 bytes) use in-register storage, while larger strings leverage heap-allocated buffers. The Mach-O binary is ad-hoc signed, limiting execution to developer-approved systems—a tactic meant to reduce sandbox detection.

swift // Swift string handling for Dropbox API communication void* array = _swift_allocObject(&data_10000c128, 0x58, 7); *(array + 0x20) = 0x800000010000a000; // Encrypted refresh_token *(array + 0x28) = 'bz0fuof9'; // Client ID component

Organizations should scrutinize unsolicited interview requests requiring software installs and monitor for IOCs like DriverEasy’s Dropbox tokens. Enhanced application allowlisting and EDR solutions capable of detecting Swift-based payloads are critical defenses.

Indicators of Compromise (IOCs)

• ChromeUpdate SHA256: b72653bf747b962c67a5999afbc1d9156e1758e4ad959412ed7385abaedb21b6
• CameraAccess SHA256: 3c4becde20e618efb209f97581e9ab6bf00cbd63f51f4ebd5677e352c57e992a

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here

The post Beware of North Korean Job Interview Process Delivers Malware Via Fake Chrome Update appeared first on Cyber Security News.