North Korean Hackers Target Python Developers with Malicious Job Offers
!Fake password manager coding test used to hack Python developers
In a concerning trend, members of the North Korean hacking collective known as Lazarus are masquerading as recruiters to ensnare Python developers. They are using deceptive coding tests related to password management software that harbor malware.
This series of attacks is part of the ‘VMConnect campaign,’ which was initially identified in August 2023. The campaign specifically targets software engineers by distributing harmful Python packages through the PyPI repository.
According to a detailed analysis from ReversingLabs, which has been monitoring this operation for over a year, Lazarus hackers host these malicious projects on GitHub. Victims encounter README files containing instructions designed to lend an air of professionalism and urgency to the task at hand.
Deceptive Recruitment Tactics
The hackers have been found impersonating well-known U.S. financial institutions like Capital One in order to lure potential job candidates with attractive employment offers. Evidence gathered from victims indicates that Lazarus frequently reaches out via LinkedIn—a tactic well-documented in their operations.
The Bug Hunt Challenge
Candidates are instructed to identify and rectify bugs within a fake password manager application, subsequently submitting their fixes along with screenshots as proof of completion.
!The project files
Source: ReversingLabs
The README file directs victims first to run the compromised application (‘PasswordManager.py’) on their machines before they begin searching for errors and implementing corrections.
!README file with project instructions
Source: ReversingLabs
Executing this file activates an obfuscated module concealed within the ‘init.py’ files associated with libraries such as ‘pyperclip’ and ‘pyrebase.’ This hidden code acts as a downloader for malware, establishing communication with a command-and-control (C2) server while awaiting further instructions—capable of retrieving and executing additional malicious payloads.
!The base64 obfuscated string
Source: ReversingLabs
To discourage candidates from scrutinizing project files for any signs of malicious or obscured code, the README imposes tight deadlines: five minutes for building the project, 15 minutes for implementing fixes, and another 10 minutes for submission. This pressure is intended not only to showcase developers’ skills but also aims at bypassing any security checks that might expose harmful elements within the code.
!Introducing pressing time factors
Source: ReversingLabs
ReversingLabs has confirmed that this campaign remained active as recently as July 31st and likely continues today.
Staying Vigilant Against Deception
Software developers receiving unsolicited job invitations via LinkedIn or other platforms should exercise caution regarding potential scams; profiles reaching out may not be genuine representations of companies or recruiters they claim to represent.
Before engaging in any assignments or tasks presented by these contacts, it’s crucial to verify their identity independently—confirm whether recruitment efforts are indeed taking place at those organizations through official channels.
Additionally, take necessary precautions when handling provided code; always scan it thoroughly or review it meticulously before execution—preferably within secure environments such as virtual machines or sandbox applications designed specifically for testing untrusted software.
I’m Sneha, a new and enthusiastic content writer with a passion for creating engaging and impactful content. I craft high-quality articles, blog-posts and web content that captivate readers and boost engagement. Let’s bring your ideas to life with words. When not in front of a back-lit device, I dabble in paints, pencil and paper.
