Developers Alert: Lazarus Group Spreads Malware Through Deceptive Coding Assessments
A group of cybersecurity experts have identified a new collection of harmful Python packages that are directed towards software developers pretending to be coding evaluations.
“The recent instances were traced back to GitHub projects associated with past, targeted breaches where developers are enticed by counterfeit job interviews,” stated Karlo Zanki, a researcher at ReversingLabs explained.
This campaign, known as VMConnect, which was initially discovered in August 2023, is believed to be attributed to the Lazarus Group, a North Korea-backed entity.
The use of job interviews as a means of spreading malware has been widely incorporated by North Korean threat actors, by either reaching out to unsuspecting developers on platforms like LinkedIn or deceiving them into downloading fraudulent packages as part of an alleged skills test.
These packages have been openly published on platforms such as npm and PyPI or stored on GitHub repositories under their management.
ReversingLabs disclosed that malicious code was discovered within altered versions of authentic PyPI libraries like pyperclip and pyrebase.
“The malicious script is embedded in both the __init__.py file and the corresponding compiled Python file (PYC) within the __pycache__ directory of the respective modules,” Zanki reported.
It’s concealed as a Base64-encoded string that conceals a retrieval function, which connects with a command-and-control (C2) server to execute commands once received.
Within one instance of the coding project identified by the software supply chain corporation, the malicious actors aimed to create a sense of urgency by demanding job applicants to establish a Python project shared as a ZIP file within a five-minute timeframe and identify and address a coding error in the subsequent 15 minutes.
This tactic makes it “more probable that the individual would run the package without undertaking any security or source code checks first,” Zanki highlighted, mentioning that this guarantees the malicious actors that the embedded malware would execute on the developer’s system.
Some of these deceptive tests pretended to be technical interviews for financial organizations like Capital One and Rookery Capital Limited, demonstrating how the threat actors are masquerading as genuine companies within the industry to execute their plan.
Currently, the scale of these campaigns is uncertain, although potential targets are detected and reached out to using LinkedIn, as recently highlighted by Mandiant, a subsidiary of Google.
“Following an initial conversation, the attacker shared a ZIP file containing COVERTCATCH malware disguised as a Python coding task, which infected the user’s macOS device by downloading another malware as a part of a two-stage process that continued via Launch Agents and Launch Daemons,” according to the company’s statement.
This development coincides with Genians, a cybersecurity company, revealing that the North Korean threat actor known as Konni is intensifying its assaults against Russia and South Korea using spear-phishing tactics that result in the deployment of AsyncRAT, showing similarities with a campaign known as CLOUD#REVERSER (also known as puNK-002).
Some of these attacks also involve the spread of a new malware dubbed CURKON, a Windows shortcut (LNK) file that acts as a downloader for an AutoIt edition of Lilith RAT. These activities are linked to a sub-group tracked as puNK-003, according to S2W.
About Author
