Watch out: Threat actors security researchers say are likely linked to the North Korean government are continuing to try and lure developers into downloading malware during hoax job interviews.
That’s according to a recent report by supply-chain security firm ReversingLabs, which discovered new occurrences of a campaign dubbed “VMConnect” that it first identified in August 2023. According to ReversingLabs, the hackers behind the effort are luring developers with fake job offers and instructing them to download PyPI packages with obfuscated malware from GitHub repositories as part of coding tests.
ReversingLabs researchers detected malware signatures in compiled Python files, which they were able to link to “several top-level open-source containers” that contained archives with names like “Python_Skill_Assessment.zip.” They also discovered Readme files explaining to developers the files were part of important coding assessments.
“They aren’t doing mass phishing,” Karlo Zanki, reverse engineer at ReversingLabs, told IT Brew. “They are doing targeted attacks. They are approaching targeted people.”
“In this case, what’s interesting is that the whole campaign is using the same malware for more than a year, and people are still falling and getting infected, meaning likely their security solutions aren’t detecting that malware type,” he added, -likely because malware in compiled binaries is much less likely to be discovered.
Numerous similarities led ReversingLabs to attribute the attack to Lazarus Group, a suspected North Korean threat actor which it had blamed for previous instances of the campaign. Furthermore, the company was able to track down one of the developers targeted by the effort. That individual said he had been contacted via LinkedIn by someone claiming to be a recruiter with Capital One in January 2024 and assigned a “homework task” involving downloading one of the archives and fixing a “bug” in code.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug—to make sure that developer executed the project on his machine,” the report continued.
“That’s the whole point, infecting them with malware,” Zanki said. “The malware itself is capable of downloading further stages, from more servers, which we didn’t analyze since they were described in many other research blogs.”
The report on VMConnect follows other recent reports from security firms, including Securonix and Palo Alto Networks, on similar efforts from hackers believed to be affiliated with the North Korean government. The FBI has also warned tech firms to carefully vet applications for remote IT work after discovering efforts by suspected North Korean front groups to land members jobs at US companies.
The report warned Lazarus Group appears to be not only targeting Python developers, but those specializing in npm and JavaScript. There are signs the campaign is ongoing, according to ReversingLabs, as the firm discovered nearly identical repositories as recently as July 31.
Zanki warned the threat actors are likely attempting to gain access to code bases, especially those relating to cryptocurrencies, and possibly to compromise developer accounts for pivots to software supply-chain attacks. He warned programmers to be on the lookout for hoaxsters when searching for, or being offered, work.
“If someone urges you to do something, that’s probably a red flag,” Zanki said. “And if someone wants you to install and run some software, you should also be on the lookout for that—it’s not likely something [a real interviewer] would like for you to do.”
“OK, compile something, build something, send them compiled executables—but actually execute some piece of software?” he added. “It’s less likely for them to ask in a legitimate case.”