North Korean hackers are sending out fake job adverts to try and steal victims' data

News
By
published

Fake job ads are back in fashion

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Software developers are once again being targeted by fake job ads. The goal of the newly observed campaign is the same as the ones seen before - to drop remote access trojans (RAT) on compromised endpoints, steal passwords, and other sensitive data.

A report from researchers Securonix describes a recently observed campaign in which Python developers are invited to participate in a job interview process. This process includes, among other things, trial tasks, in which the developers are told to download and run code from GitHub. 

However, the code carries an obfuscated JavaScript file which, when executed, triggers an infection chain that concludes with the installation of the RAT.

Is Lazarus back?

This RAT grants the attackers a number of things, including persistent connections, file system commands, remote command execution capabilities, direct FTP data exfiltration, and clipboard and keystroke logging. 

Securonix dubbed the campaign “Dev Popper”.

While the researchers did not attribute the campaign to any specific threat actor (citing lack of conclusive evidence), Dev Popper does have Lazarus Group’s fingerprints all over it. 

Lazarus is a North Korean state-sponsored threat actor that’s been observed creating fake jobs in the past. In previous examples, the group would create convincing LinkedIn profiles and would reach out to software developers with a background in blockchain development, with great job opportunities.

The goal of the attacks was to steal the developers’ cryptocurrencies, one of Lazarus’ hallmarks. However, this is the first time the victims were invited to download and run GitHub code. In earlier examples, the attackers tried to infect devices with malware hiding in .docx files, .pdfs, and other file formats.

Late last year, researchers spotted a massive fake job campaign, believed to have affected more than 100,000 people in at least 50 countries. The victims were infected with ransomware, and were extorted for more than $100 million.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.