North Korean hackers target jobseekers, slipping malware into fake coding tests


Pyongyang cyber warriors often pose as fake IT workers to infiltrate organizations. ReversingLabs researchers have recently discovered an ongoing campaign where they take the role of recruiters hunting for Python developers.

The researchers discovered new malicious software packages on GitHub, containing archives named Python_Skill_Assessment.zip, Python_Skill_Test.zip, and similar.

Malicious actors disguise themselves as recruiters from major financial firms, such as Capital One, to lure developers into downloading malware.

ADVERTISEMENT

The malware itself is well hidden within the Python packages, which are part of fake coding tests. It was encoded in a Base64 string, obfuscating downloader code.

The malware runs from compiled and cached Python files, which are difficult to scan as they’re packed into a binary format and unreadable without specialized tools.

One developer who cloned the malicious repository, implemented the requested feature, and fell victim confirmed that the recruiter had pretended to be from Capital One.

“He revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a “homework task.” The developer was asked to “find the bug,” resolve it, and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug – to make sure that the developer executed the project on his machine,” the report reads.

The malicious code makes a request to the command and control server and executes the received Python commands.

The new repositories in the current campaign include nearly identical README files with instructions for the job candidates “to find and fix a bug in a password manager application.” It instructs candidates to run the project on their system before making any changes to ensure malware execution.

This campaign is similar to the previous VMConnect campaign, discovered in August 2023 and linked to North Korea’s Lazarus Group. Back then, hackers planted imitations of popular open-source Python tools on GitHub, containing similar functionality.

“Lazarus is an advanced and very active threat actor focused on financial gain and cryptocurrency theft to benefit the government of North Korea. Threat reports from other research groups show that Lazarus and other North Korean threat actors are using a wide spectrum of offensive means to achieve their goals, including targeting developers and development organizations to infiltrate sensitive networks,” ReversingLabs report reads.

ADVERTISEMENT

Researchers also found evidence that malicious threat actors are also targeting npm and Javascript developers.

Last week, the FBI warned that North Korea aggressively targets employees from the crypto industry. Well-disguised social engineering attacks often include offers of new employment or corporate investment. Threat actors also try to steal crypto assets.