Pseudo-employment tests: North Korean hackers target developers
North Korean hackers are currently trying to hijack developers’ computers. To do this, they are setting up supposed settings tests. During these, the victim is tricked into installing malware that gives the attackers control over the respective system.
Malware under time pressure
As security researcher Karlo Zanki of ReversingLabs reported the attacks now discovered are part of a larger operation targeting developers. This has been running in various variants since August 2023. There are indications that the North Korean Lazarus group is behind it. In the latest operation, Python programmers are the main target.
The attackers contact the targets on platforms such as LinkedIn and convince them to download manipulated packages from public repositories such as npm, PyPI or their own GitHub accounts. Zanki explains that ReversingLabs has discovered malicious code in modified versions of legitimate Python libraries such as “pyperclip” and “pyrebase”. This uses a Base64-encoded string to disguise a downloader that contacts a command and control server (C2) to execute malicious commands.
Particularly perfidious are the fake coding tests that the attackers disguise as part of an application process. For example, supposed applicants are asked to run a Python project provided in a ZIP file within five minutes and then fix an error within 15 minutes. This time pressure increases the likelihood that the developers will run the package without first performing a security or code check.
Some of these tests pretend to be technical interviews for well-known financial institutions such as “Capital One” and “Rookery Capital Limited” to make the deception more believable. It is currently unclear how widespread this campaign is, but targeted attacks via platforms such as LinkedIn have already been confirmed by several security firms.
Many targeted attacks
The hackers’ approach remains sophisticated. After an initial conversation on LinkedIn, a ZIP archive with the disguised malware is sent. The download activates a second malware level that remains on the system and is anchored via “launch agents” and “launch daemons”. These new discoveries are part of a larger wave of North Korean cyber attacks that are also targeting other countries.
The security company Genians has detected an intensification of spear phishing attacks by the “Konni” group against Russia and South Korea. Among other things, new malware such as “CURKON” is being distributed, which serves as a downloader for other malware.
RS News or Research Snipers focuses on technology news with a special focus on mobile technology, tech companies, and the latest trends in the technology industry. RS news has vast experience in covering the latest stories in technology.
