Podcasts
Only Malware in the Building
Ep 14
Only Malware in the Building 8.5.25
Ep 14 | 8.5.25

Work from home, malware included.

Show Notes
Transcript

[ Music and Whistling ]

Dave Bittner: Guys, emergency! Double jalapeno queso dip is missing from the fridge!

 

Selena Larson: Okay, Dave, breathe. It's just a dip.

 

Keith Mularksi: Did you check if you ate it all last night?

 

Dave Bittner: No way. This is a crime, a dipnapping. And I'm going full detective on this.

 

Selena Larson: Here we go. [ Music ]

 

Dave Bittner: Step one: Secure the crime scene.

 

Keith Mularksi: Dude, it's just a fridge.

 

Dave Bittner: Step two: Collect evidence. Look, salsa drips, crumbs, a suspicious smear on the fridge handle. The perp was sloppy.

 

Selena Larson: Or just really hungry.

 

Dave Bittner: Step three: Interrogate the suspects.

 

Keith Mularksi: You mean us?

 

Dave Bittner: Exactly. Selena, where were you last night between the standard dip hours?

 

Selena Larson: Podcasting. And as much as I love double jalapeno, I was avoiding the dip drama.

 

Keith Mularksi: I was on a snack break. Totally innocent.

 

Dave Bittner: Keith, you're sweating suspiciously.

 

Keith Mularski: Well, it's a bit hot in here.

 

Selena Larson: You're both ridiculous.

 

Dave Bittner: Ah-ha. Well, there is fridge camera footage.

 

Keith Mularski: Wait, what? You installed a camera inside the fridge?

 

Dave Bittner: Absolutely. Snack security is serious business.

 

Computer Voice: Enabling fridge footage from June 30, 2025.

 

Dave Bittner: Look at this. Well, well, well, it's our podcast producer sneaking in and grabbing a dip!

 

Computer Voice: [Alarm Sounding] Recording in process. Drop the dips. I repeat, drop the dips. [ Grunts ] >> Please stop. I retire in three days. Aw! Aw! Have you no mercy? Aw! Aw! Aw! Aw! Aw! [ Heavy Breathing ] Wait. You can't get rid of me that easily. Aw! Aw! You're getting rid of me easily. Aw. Aw! Aw! Aw!

 

Selena Larson: Wait, what?

 

Keith Mularski: The producer, she's the real culprit?

 

Dave Bittner: Case closed. The dip thief has been caught on camera.

 

Selena Larson: So you went full detective, made us do a mini interrogation, and the dip was stolen by one person none of us suspected?

 

Dave Bittner: Exactly. Never underestimate the power of dip.

 

Keith Mularski: I'm just glad it wasn't one of us.

 

Selena Larson: Dave, next time, maybe just label your dip, "Dave's dip: do not eat."

 

Dave Bittner: Where's the fun in that? [ Music ]

 

Selena Larson: We're pivoting from dips to DPRK. Today we're going to talk about North Korean threats and threat actors and how they are both targeting technology workers as well as becoming IT workers within organizations in the US and globally. It's really interesting to take a look at how the North Korean threat activity has changed over the years. Maybe, Chief, you can have us go on a walk down malware memory lane by reminding us of North Korean actors and what are they doing now.

 

Dave Bittner: Oh, talk about Keith's favorite things.

 

Keith Mularski: I love talking about history, you know. So obviously when we think of North Korea, you know, from the beginning we think of like the Sony attack, we think of these destructive type of attacks, we think of hitting like the bank Bangladeshi, you know, the billion-dollar heist that's out there. So we think of North Korea doing those types of attacks. You know, we love the name Lazarus. You know, we like to play kind of like the Toys "R" Us like Laz "R" Us, you know games with them. But, you know, that's kind of traditionally how we have thought about North Korea with these destructive attacks. And what we're really seeing them now is start to pivot now is, hey, you know, they're going to move just from, you know, these offensive type things to like, hey, we're going to steal money to help get past the sanctions that are in place and help fund the regime. So they've really gone from this simplistic types of attacks, destructive, to now really impressive things where they're not only using malware, they're setting up recruitments, they're trying to get hired. You know, they're stealing cryptocurrency. And it's this one big, you know, operation here now. So, you know, that we'll just dive in here in this episode, which I think is very fascinating.

 

Dave Bittner: Going back even further than that, I mean, can we lay out for our listeners kind of what the situation is with North Korea as an actor on the global stage? I mean, they kind of stand alone; is that a fair way to describe them?

 

Keith Mularski: Yeah, I mean, I think they're different than the other threat actors out there because really like their espionage operations are so intertwined with criminal activities to steal money right now. So they are a different beast from any of the other, you know, state-sponsored hackers that are out there. [ Music ]

 

Selena Larson: And also too, so they obviously are the originals of APT cribbing on crime. So, you know, they for a long time have used their activity for financial enrichment for the hermit kingdom, to build the nuclear weapons, to fund, you know, government operations in a way that you don't really see with any other sort of major state threat actors. And they've been doing that for a few years now. And also what I think is pretty interesting is so they're kind of like this like overlapping threat actor, right? So their country is directing them to steal money. Whereas oftentimes what you'll see with some of the other APT e-crime sort of overlap is, well, you know, maybe I'm a Chinese cybercriminal on the side. While I'm, you know, doing work to support the government interests that I'm being tasked with, maybe, you know, I'm moonlighting as something else. We've seen it with Iran a little bit also, but not quite on the same level of North Korean threat actors. I would say they have really become great at stealing our currency. They are so good at it, it's crazy. And hundreds of millions of dollars' worth, right? Like it's a big system that they've got going on. And one thing I actually thought was kind of interesting as well is it's not just sort of in the cyber realm that we're seeing some sort of like expansion of their activities or potentially, you know, collaborating or working with other groups, but they've also become involved in supporting Russia in their invasion of Ukraine. So we see, you know, North Koreans physically on the front and fighting in support, you know, of that. And we've also actually seen in email threat data North Korean aligned threat actors targeting government entities in Ukraine, likely collect intelligence on the trajectory of Russia's invasion. So they're doing kind of a lot. And I think, you know, the stuff that is pretty interesting obviously is like the crypto to enrich country, but also some of the clever social engineering and some of the tactics that they're using, some of their cyberattacks that are very unique to this particular group of threat actors.

 

Keith Mularski: Yeah, and especially talking about the stealing of the crypto currency, you know, what we're seeing out there right now is they are setting up LinkedIn profiles to be recruiters to try to recruit people at crypto currency companies or people that are doing work for crypto currency companies. And, Selena, do you want to kind of talk about how they're targeting GitHub repositories as well?

 

Selena Larson: Yeah. So we've seen, for example, some sort of like supply chain type of attacks -- so compromised MPM packages. You've seen them sort of, you know, like upload malicious code on GitHub. There's a really interesting writeup about how they are actually trying to clone on the repository, have this malicious stuff embedded in the GitHub repository, and then they'll direct people to sort of like download this. And in these interviews, right, like, oh, yeah, we're recruiting you. We want you to do this. And then here, click to download this to use this tool. So it's kind of interesting to see how they're going after the tools and the sort of resources that some technical people would be using, the folks that they're targeting. And so there's been a lot of reporting on how they are actually going after like tech industry specifically. So these jobseekers that work in this industry -- I think -- was it "Contagious Interview" is one of the clusters. And then going back way far, "Operation Dream Job." So you've got these campaigns -- ongoing, you know, campaigns that they're called -- with these sort of code names that are all about job and recruiting and focusing on technology and defense.

 

Keith Mularski: Yeah, I think there was like an "Operation '99" was like one of those campaigns I think where they were going after cloned GitHub repositories. And "Marstech Mayhem" was another name that was out there. You know, that involved JavaScript and Python implants, that were served through interview themed lures and fake recruitment personas.

 

Selena Larson: Dave, your favorite crazy names?

 

Dave Bittner: Well, yeah. I want to dig into these job recruiting and the fake employees and all that kind of stuff. But before we get to that, just at a higher level, Keith, we keep mentioning crypto currency, right? And I'm curious, you from, your experience in law enforcement -- I mean, you were around when crypto currency became a thing, right? What was that like for people in law enforcement to suddenly have kind of this end around of the global monetary system? I mean is that a fair way to frame it?

 

Keith Mularski: Well, I think it kind of started before crypto currency. Because you had -- let's go back to Eagle, if you remember that, back in the early 2000s, which was really kind of it was a platform that was based on the gold currency, you know, the gold standard and like how much the price of gold was. So you could buy e-gold and it was all virtual currency and the criminals used that. And then Eagle was taken down and then it went to Liberty Reserve, which was very similar. And the Russians used Web Money, which was very big at the time. So those digital currencies kind of predated the crypto currency, but then once you got to crypto, then, you know, everything's out on the blockchain there, you know. And it was, you know, untraceable and a lot harder to track than, you know, those e-gold or Web Money and things like that.

 

Selena Larson: That is so interesting. I have to admit, I did not know about e-gold and how it was used by cyber criminals.

 

Keith Mularski: It was one of my favorites to use when I worked undercover way back in the day.

 

Dave Bittner: No, that's interesting. And you hear about it. I mean, even -- I mean, look, they're going to figure out ways to launder the money, right? I mean, they're going to figure out where the weak spots are and all this kind of stuff. But it just seems to me like -- again, we're talking about North Korea, which is so isolated from the rest of the global community. And yet here's a way for them to participate -- I'm putting air quotes around "participate" -- because you have this borderless, unregulated wild West currency, right?

 

Keith Mularski: Yeah. You know, it's crazy, you know, the amount of money that's going through crypto. And, you know, right now, you know, crypto is a big thing here in the States. We have a president, he's the first crypto president. So, you know, more and more people are putting their money in crypto. And it's not just now this thing of cyber criminals, you know, it's much more legitimate. But yet, you know, the criminals are, you know, exploiting it.

 

Selena Larson: I did a -- sorry.

 

Dave Bittner: Go ahead, Selena.

 

Selena Larson: I was going to say, I did a talk at SLEUTHCON last year, and I did a timeline of ransomware, basically, specifically focusing on Russia. And one piece of the timeline was -- what was it, 2010 or whatever -- Bitcoin invented runes everything [laughter]. Huge mistake. Huge mistake.

 

Dave Bittner: I guess it depends on your point of view, right? Some people would say Bitcoin made everything great.

 

Selena Larson: Oh my gosh. Yeah, I can't say that -- as someone who follows and tracks crypto and mostly used by criminals and how criminals have begun scamming people using crypto, like pig butchering, is a huge, huge, huge, huge threat. My feelings might be fairly obvious.

 

Keith Mularski: I'll tell you one thing I saw just this week, somebody did an exposé, some of the guys from Conti. And one of the guys is a name true to my heart, this guy Vitaly Kovalev, was one of the original godfathers in my opinion of cybercrime. But they were talking about that they tracked his crypto wallet. And he has $500 million in that wallet, you know. So here we have a cybercriminal, maybe the first cyber billionaire here, you know, in the upcoming years. It's just, you know, insane when you think about that much money in, you know, a white crypto wallet.

 

Dave Bittner: Go ahead.

 

Selena Larson: I do think it's interesting though with crypto, you can track where the payments are going. So you can see, okay, what is GPRK doing with this money; what are they -- you know, who are they giving it to you; how are they laundering it, right; what wallets are they going to; and does that wallet have overlapping activity with other potential malicious threat actors? And you're actually able to see, this is how much money they're making and this is where it's going. So I do think from that perspective, it's really, really interesting. Because it used to be that, oh, it's totally anonymous. And now it's like, well, actually, you can see everything that everyone is doing. Stick around, we'll be right back. [ Music ]

 

Dave Bittner: In the time we've got left, I want to talk about one specific element to this, which is these stories we've heard about folks from North Korea in particular applying for US tech jobs and getting the jobs [laughter]. So let's unpack that a little bit, how that's possible and what the implications are for us and for them. Selena, you want to start things off for us?

 

Selena Larson: Sure. So it's this massive problem of IT workers from North Korea working at legitimate companies. And so they will apply to these jobs and they will, you know, go through the entire recruitment process and they will actually obtain these jobs, mostly, you know, tech jobs. And what's also very interesting is they have a network of supporters, not just, you know -- they're not just operating exclusively with North Korean threat actors, right? So there was a very interesting story from -- I'm from Arizona, so this was particularly interesting. But there was this Arizona woman who, you know, was working and basically facilitating these DPRK workers from her living room. And so she had all of these laptops and she was doing a lot of the work that they were asking her to do and basically forwarding the work from wherever the North Korean actor was -- you know, China, Russia, or wherever they were physically located -- to having access. I'm in Arizona. Like this is my job. And so essentially what they're doing is they are infiltrating these companies and they're making a lot of money. And in many cases, they have multiple jobs that are, you know, making lots of money. And DTECH actually put out a pretty interesting report on some of these threat actors. They published 1,000 email addresses that were used by these actors. They named some in particular, dropped their images, explained, you know, this is how they've been working and how this actually works. But it's a big and insidious problem. And I think it's really interesting when companies actually publish, like, hey, this happened to us. And so Kraken -- which is crypto finance firm -- which I have to say, a lot of these guys, you know, like they want to go work at these crypto firms, it's an interesting tech job. And so, you know, with Kraken published a really interesting blog and went through the process of, like, here, they apply for this job; here is how they, you know, tried to get; here's how we caught them; and here are the, you know, some of the ways in which -- the questions that we asked and the things that we made them do to try and identify that actually they were fraudulent. And so they, you know, have these red flags and all these things, but they do that. And honestly, there's a lot of reporting that they're using AI enabled tools. So they have something set up where they get asked a question and then they put the question through whatever LLM it is that they're using to provide an answer. And so this is sort of this like real-time. And we talk about some of the challenges and risks of AI and LLMs. And this is a great example of them using it to enable their fraud, basically.

 

Keith Mularski: I've got a great story with that, too. So I was talking with my -- a CISO friend of mine, and he said they were probably about for every 50 applications, about 35 of them were these IT workers. And he said, you know, that they were deploying different techniques in the interview. Because like, you know, somebody was supposed to be from Tampa, and one of the guys that was interviewing the person was from Tampa. So he's like, well, how's the weather out there? You know, and they couldn't answer it, you know. And they could see him looking up, you know, for somebody to look on, you know, Google, what's the weather in Tampa, you know. And it was just, you know, different things like that. You know, they would make the person get up and move, so if there was an AI generated, you know, face there, you know, if the person would move, you could see it. So they were kind of having fun with that, you know, as kind of that first line of seeing if they could detect it. But it's very prevalent from, you know, what he told me.

 

Dave Bittner: At the RSA conference a couple weeks ago, Adam Meyers from CrowdStrike was doing a session and said that an interview question you should add is, how fat is Kim Jong Un? [ Laughter ] Because if you ask that question, they will hang up.

 

Keith Mularski: That is great.

 

Dave Bittner: Allegedly. Because it's not worth them answering the question and getting in trouble with, you know, dear leader. So they will typically end the call.

 

Keith Mularski: Yeah, isn't that funny.

 

Selena Larson: I also think it's pretty interesting that this is something that's gone on for quite some time, and it's really come to the general public recently. And I think just because it's so bad now that it's been very, very effective. But, for example, in the case of the Arizona woman who I believe, yeah, she just pled guilty to this fraud scheme. It said that she was this American citizen, conspired with overseas IT workers from October 2020 through October 2023 to steal the identities of US nationals and use those identities to apply for remote IT jobs. So, you know, this is something that has been going on for some time. I mean, she obviously had a business, running a business. Speaking of startups. Business enabling, you know, IT worker fraud. But it is something I think that has been going on for so long, was pretty successful. Because now we're at this tipping point where it's like, oh, this is actually bad. And you have, you know, companies talking about, we accidentally hired an IT worker, here's what we did. And just, you know, all coming out with these stories, which is such an interesting human interest story in my opinion. Like it's such a weird human story.

 

Dave Bittner: The stories that are coming out describing this are from cybersecurity companies who've had it happen to them. So these are not unsophisticated people. These are people who have lots of steps in their hiring process and lots of vetting. So I have to imagine that if folks with that level of sophistication are falling victim to this, imagine your small, you know, or medium-sized business, your mom-and-pop shop who's just looking to, you know, hire a fractional CISO, or, you know, just somebody to help remotely. They are sitting ducks when it comes to this, potentially. Yes?

 

Keith Mularski: Absolutely. I mean, you know, the other thing is, you know, the sheer number that North Korea of people that are thrown into this, but now, you know, there's always going to be copycats, you know, when you see the success of that. So now, you know, are the Chinese going to start doing this, you know, or the Russians or the Iranians? Because, you know, why spend a lot of time trying to get in with malware and trying to get through those defenses, you know, when you can kind of go right through HR? You know, and get somebody in and actually get a computer from the company and, you know? So, you know, when are the copycats, when are we going to start seeing that? You know, in my opinion, we're going to see it pretty quickly.

 

Selena Larson: Well, and this is actually interesting, because, you know, we in a previous podcast were talking about some of the overlap between APT and e-crime. This is one thing that I think will definitely stay in the realm of espionage. Like cybercriminal threat actors are not going to [laughing] through this whole process of actually getting jobs. In fact, you know, a lot of them probably are not at the level of being able to apply for a technical job -- stealing someone's identity and applying for a tech job. But at that point, they should just not be doing crime.

 

Dave Bittner: Right, yeah, if you're that skilled, I mean, come on [laughter].

 

Selena Larson: Yep. [ Music ] There's more to come after the break. [ Music ]

 

Dave Bittner: Well, it's an interesting thing and obviously something to keep an eye on, but it's a fascinating kind of subset or subculture even of online crime that people just have to be vigilant against. Thank you both. This is an interesting conversation. And we will see you both back here next time. I'm going to go and try to recover what's left of my dips.

 

Selena Larson: Will you share your jalapeno dip next time, Dave?

 

Dave Bittner: No, I will not.

 

Selena Larson: [Laughter] And that's Only Malware in the Building, brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we are unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead of the ever revolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes. Mixing and sound design by Tre Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher.

 

Dave Bittner: I'm Dave Bittner.

 

Keith Mularski: I'm Keith Mularski.

 

Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Keith Mularski
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Keith Mularski is the Chief Global Ambassador for Qintel and a retired FBI Special Agent with extensive experience in cybercrime investigations and intelligence operations. He previously led major cybercrime takedowns and held leadership roles bridging public and private sector cybersecurity efforts, including as a cybersecurity executive at Ernst & Young. He continues to collaborate with global partners to combat cyber threats and protect critical infrastructure.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K
ADVERTISEMENT
Sponsored by ThreatLocker
Sponsored by ThreatLocker

ThreatLocker® is a Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. With ThreatLocker, you can allow only what you need and block everything else, including ransomware! Learn more.