A fresh wave of attacks tied to North Korea’s infamous Lazarus Group is targeting software developers through fraudulent job recruitment schemes. These attacks are part of the VMConnect campaign, first uncovered in August last year.
Malicious actors pretend to be recruiters from top financial services firms, distributing malicious Python packages disguised as coding tests. These packages, which mimic legitimate developer tools, are designed to infiltrate and compromise developer systems.
ReversingLabs researchers say the attackers were found using deceptive methods, including fake LinkedIn profiles, to trick developers into downloading and executing malicious code disguised as part of job interview materials.
A Hallmark of Lazarus’ Operations
The VMConnect campaign was linked to the Lazarus Group based on research by the Japan Computer Emergency Response Team (CERT). The campaign involved the distribution of malicious PyPI packages disguised as legitimate open-source Python tools.
These packages were designed to execute hidden downloader code – something Lazarus’ operations are known for. The malicious activity mirrored techniques documented in earlier reports, including the use of Windows Help files embedded within archives and fraudulent LinkedIn accounts posing as job recruiters.
Targeting Developers Through Fake Job Interviews
One way the malware is delivered in the campaign is via LinkedIn profiles that pretend to be recruiters from leading financial firms. In these cases, developers were invited to participate in coding tests as part of a “job application” process.
ReversingLabs saw similar tactics being used to trick Python developers into downloading malicious packages. This method, which blatantly manipulates job candidates, is a perfect illustration of how bad actors exploit trust within professional networks to infiltrate sensitive systems.
Analyzing the Threat
Through continuous monitoring of previously identified threats, ReversingLabs’ Spectra Intelligence platform flagged several malicious samples in June 2024. Upon closer scrutiny, the team discovered that the malicious packages contained Base64-encoded downloader code. This was hidden within popular Python modules, like Pyperclip and Pyrebase, and it communicated with command-and-control servers to execute attacks on compromised systems.
The malicious files were found in coding tests linked to job interviews, including archives named “Python_Skill_Test.zip.” These files contained instructions encouraging developers to fix bugs in a password manager application. This lure was cunningly designed to ensure the malware was executed even if the candidate did not complete the assignment.
Leveraging Trusted Names
The actors behind this campaign impersonated well-known financial institutions, including Capital One, in their efforts to lure developers. One of the discovered archives, “RookeryCapital_PythonTest.zip,” also invoked the name of a financial firm, though there was no direct link to the company’s legitimate systems.
These tactics suggest that attackers were leveraging trusted names to lower the guard of their targets.
An Active Campaign
Despite these attacks dating back more than six months, ReversingLabs found evidence that the campaign is still active. On 31 July 2024, a newly created GitHub repository containing the same malicious code as the earlier samples was found.
The timing of this repository’s creation, coinciding with ReversingLabs’ communication with one of the targeted developers, suggests that the malicious actors could still have access to compromised systems.
The Threat is “Far From Over”
The VMConnect campaign, with its ties to the Lazarus Group, highlights the growing threat of cyberattacks targeting developers. These instances, masquerading as recruitment efforts and coding tests, aim to install malicious downloaders on developer systems, potentially leading to more serious breaches.
As nation-state actors like Lazarus continue to hone their tactics, entities must be vigilant and educate developers on the risks of downloading and executing code from unverified sources.
With the campaign still active, ReversingLabs warns that the threat is far from over. The sophistication of Lazarus Group’s tactics, coupled with their focus on financial gain, highlights the need for increased awareness and cybersecurity measures across the development community.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.