HQ/EMEAFind out how we can help your business
The North Korean advanced persistent threat group (APT) Lazarus is posing as recruiters organising a coding test project for password management products to bait Phyton developers. Based on reports, the fake test for the job employment scheme contains a malware strain.
Researchers stated that these attacks are part of the ‘VMConnect campaign’, initially uncovered in August last year. The APT group has targeted software developers with malicious Python packages published to the PyPI repository.
Lazarus APT uploaded the fake text on GitHub, which Phyton developers can access.
The Lazarus APT hackers uploaded the malicious code projects on GitHub, where victims may access README files containing instructions on accomplishing the test.
Other researchers believe these North Koreans imitate prominent US institutions to lure prospective prospects by presenting a tempting employment package. Further information obtained from one of the victims reveals that Lazarus actively seeks their targets via LinkedIn.
The hackers instruct their candidates on the test to find a defect in a password management application device, submit a remedy, and provide a screenshot as proof of their efforts.
The README file for the project prompts targeted developers to run the malicious password manager application on their devices before checking for and correcting faults. This file then runs a base64-obfuscated module hidden in the ‘pyperclip’ and ‘pyrebase’ libraries’ ‘_init_.py’ files.
Furthermore, the obfuscated string is a malware downloader that connects to a C2 server and waits for commands. Additionally, the command-and-control server can fetch and run extra payloads.
The hackers also included a five-minute time limit to construct the project to add a sense of urgency and ensure that the candidates would not check the files to see if they contained malicious or obfuscated codes.
This tactic also forces the victims to accomplish the test quickly and show their expertise. Still, its ultimate purpose is to deceive the victim into skipping any security check that could reveal the malware.
This malware campaign last appeared in July, but researchers suspect it is ongoing. Phyton developers who receive job application invites from individuals on LinkedIn or any suspicious domains should be careful about accessing them. Lastly, software engineers who receive such emails should evaluate the sender’s profile and ensure they are not fake or AI-generated.
