Cybersecurity researchers have uncovered a new wave of malicious activities targeting software developers through fake coding assessments. The threat actor behind this campaign is believed to be the North Korea-backed Lazarus Group, leveraging sophisticated techniques to infiltrate developers’ systems and spread malware.
The VMConnect Campaign
The malicious operation, dubbed VMConnect, first came to light in August 2023. Researchers from ReversingLabs have linked new malicious Python packages to GitHub projects associated with previous targeted attacks. Karlo Zanki, a researcher at ReversingLabs, stated:
“The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews.”
Modus Operandi
The Lazarus Group employs social engineering tactics by posing as recruiters or representatives from reputable companies. They approach developers on professional networking sites like LinkedIn, enticing them with lucrative job offers. As part of the supposed recruitment process, developers are sent coding assessments or technical tests that contain malicious code.
These malicious packages are often:
- Modified Versions of Legitimate Libraries: ReversingLabs identified that legitimate PyPI libraries such as pyperclip and pyrebase were altered to include malicious code.
- Embedded Malware: The malicious code is hidden within the
__init__.pyfile and its compiled counterpart in the__pycache__directory. - Obfuscated Downloaders: The malware uses Base64-encoded strings to obscure downloader functions that connect to command-and-control (C2) servers, executing commands received in response.
Creating a Sense of Urgency
To lower the developers’ guard, the threat actors create a false sense of urgency. In one observed case, job seekers were instructed to:
- Build a Python Project: Complete the task within five minutes.
- Fix a Coding Flaw: Identify and correct an issue within the next 15 minutes.
Karlo Zanki noted:
“This makes it more likely that he or she would execute the package without performing any type of security or even source code review first. That ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer’s system.”
Impersonating Reputable Companies
Some of the fake coding tests purported to be technical interviews for well-known financial institutions like Capital One and Rookery Capital Limited. By impersonating legitimate companies, the attackers increase the likelihood of convincing developers to run the malicious code.
Wider Implications and Similar Campaigns
While the full extent of the campaign’s reach remains unclear, it underscores a broader strategy employed by North Korean threat actors. Google-owned Mandiant recently highlighted similar tactics, where attackers:
- Initiate conversations with targets on LinkedIn.
- Send ZIP files containing malware disguised as coding challenges.
- Compromise systems by downloading second-stage malware that establishes persistence.
Furthermore, cybersecurity firm Genians reported increased activities from the North Korean group codenamed Konni. Their operations involve:
- Spear-Phishing Lures: Targeting organizations in Russia and South Korea.
- Deployment of AsyncRAT: A remote access trojan used for espionage.
- Overlaps with CLOUD#REVERSER: Also known as puNK-002, indicating coordinated efforts.
- New Malware Introduction: Such as CURKON, an LNK file serving as a downloader for the Lilith RAT.
Protection Measures for Developers
Developers are advised to exercise caution when:
- Receiving Unsolicited Job Offers: Verify the identity of recruiters and the legitimacy of the company.
- Downloading Coding Tests: Avoid running code or executables from unverified sources without thorough analysis.
- Inspecting Code: Review the source code of any provided libraries or packages before execution.
- Monitoring Communications: Be wary of requests that create urgency or pressure to act quickly.
Conclusion
The Lazarus Group’s use of fake coding assessments highlights the evolving tactics of nation-state actors targeting the software supply chain. By exploiting the trust and professional aspirations of developers, they aim to infiltrate systems and propagate malware. Increased vigilance and adherence to security best practices are essential to mitigate such threats.
About Lazarus Group
The Lazarus Group is a cybercrime group linked to the North Korean government. Known for high-profile attacks, including the 2014 Sony Pictures hack and various cryptocurrency thefts, they specialize in espionage, financial theft, and disruptive operations.
