Back

Void Dokkaebi Exploits Job Interviews to Distribute Malware via Code Repositories

Severity: High (Score: 75.5)

Sources: www.microsoft.com, www.esentire.com, opensourcemalware.com, Trendmicro

Summary

Void Dokkaebi, a North Korea-aligned hacking group, has launched a campaign targeting software developers by posing as recruiters from cryptocurrency and AI firms. The attackers lure victims into cloning malicious code repositories under the guise of job interviews, leading to a compromise of their development environments. Once a developer's machine is infected, it becomes a launchpad for further attacks, weaponizing the victim's own code contributions to spread malware to other developers. This propagation method resembles a worm, utilizing Visual Studio Code (VS Code) workspace configurations and injecting obfuscated JavaScript into repositories. The attack exploits the trust inherent in developer workflows, significantly increasing the risk of supply chain attacks. The malware can infect downstream developers who clone the compromised repositories, creating a self-sustaining cycle of infection. Organizations are urged to review their security practices to mitigate this emerging threat. Key Points: • Void Dokkaebi targets developers by impersonating recruiters in fake job interviews. • Infected machines act as launchpads, spreading malware through trusted code repositories. • The attack exploits Visual Studio Code configurations, making it difficult to detect.

Key Entities

  • FAMOUS CHOLLIMA (apt_group)
  • Void Dokkaebi (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Worm (attack_type)
  • North Korea (country)
  • CWE-94 - Code Injection (cwe)
  • socket.io (domain)
  • 136.0.9.8 (ipv4)
  • 154.91.0.196 (ipv4)
  • 166.88.4.2 (ipv4)
  • 198.105.127.210 (ipv4)
  • 23.27.120.142 (ipv4)
  • BeaverTail (malware)
  • Dev#popper RAT (malware)
  • InvisibleFerret (malware)
  • OmniStealer (malware)
  • OtterCookie (malware)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Aptos (platform)
  • Binance Smart Chain (platform)
  • GitHub (platform)
  • Gitlab (platform)
  • TRON (platform)
  • BitBucket (tool)
  • Node.js (tool)
  • Git (tool)
  • Socket.io-client (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed