In an ongoing campaign suspected to be linked to North Korea’s Lazarus Group, malicious actors are using fake job interviews and coding tests to trick developers into downloading and executing malware. The campaign, dubbed VMConnect, has been observed since August 2023 and has now been linked to several targeted attacks on Python developers.
Fake Coding Tests For Python Developers
These malicious actors posed as recruiters from well-recognized financial services firms, including major U.S. companies such as Capital One in their attempts to lure developers into downloading malware. The attackers used fake job interviews and coding tests to trick victims into executing the malware, which is often hidden in compiled Python files or embedded in archives. The malware is then executed from the cached, compiled file, making it difficult to detect.
ReversingLabs researchers identified that the attackers used GitHub repositories and open-source containers to host their malicious code. The code was found to be often disguised as a coding skills test or a password manager application, with the README files accompanying the code containing instructions to trick victims into executing the malware. These files tended to use names such as “Python_Skill_Assessment.zip” or “Python_Skill_Test.zip.”
They discovered that the malware had been contained within altered pyperclip and pyrebase module files, which were also Base64 encoded to hide the downloader code. The code was identical to that observed in earlier iterations of the VMConnect campaign which made HTTP POST requests to a C2 server to execute Python commands.
Identified Victim
In one instance, the researchers were able to identify a compromised developer who had fallen victim to a malicious actor pretending to be a recruiter from Capital One. The developer had been contacted from a LinkedIn profile and provided with a link to a GitHub repository as a homework task, once asked to push changes, the fake recruiter instructed him to share screenshots proving that the task had been completed.
The security researchers were later able to obtain access to the log directory in the .git folder, which contained a HEAD file that revealed the full name and email of the developer who had cloned the repository and implemented the required feature.
The researchers then established contact with the developer, confirming that he had been infected with the malware in January 2024. The developer was unaware that he had been executed malicious code as part of the homework task.
While the identified incident dated back several months, the researchers believe that there is sufficient evidence and activity leads to believe the campaign is ongoing. On July 13th, they had come across a newly published GitHub repository matching the ones used in the earlier incident but under a different account name.
Digging further, the researchers observed that the dormant GitHub account sprung back to life on the same day they had established contact with the victim and believe the threat actor may have still retained access to the infected developer’s communications. The researchers also believe that the contacted developer may have possible links to the malicious campaign, rather than being a victim.
While the researchers had reported the suspicious GitHub account, leading to its termination, they choose to label it as an active campaign due to surfacing new malicious samples and projects observed from time to time.