Cybersecurity researchers have discovered a new set of malicious Python packages targeting software developers under the guise of coding assessments.
“The new samples were tracked in GitHub projects that were linked to previous targeted attacks in which developers are lured with fake interviews,” ReversingLabs researcher Carlo Zanchi said. said.
This activity was evaluated as part of an ongoing campaign called VMConnect that was born for the first time in August 2023. There is testimony that it is the handiwork of the Lazarus Group, which is supported by North Korea.
The use of interviewing during recruitment as a spreader of infection was accepted North Korean threat actors are spreading widely by reaching out to unsuspecting developers on sites like LinkedIn or forcing them to download fake packages as part of a supposed skills test.
These packages, in turn, have been published directly to public repositories such as npm and PyPI, or hosted on GitHub repositories under their control.
ReversingLabs said it discovered malicious code embedded in modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.
“The malicious code is present in both the __init__.py file and the corresponding Python compiled (PYC) file in the __pycache__ directory of the relevant modules,” Zankey said.
It is implemented as a Base64-encoded string that hides a bootloader function that contacts the control server (C2) to execute the commands received as a response.
In one coding assignment identified by a software supply chain firm, threat actors attempted to create a false sense of urgency by requiring job seekers to create a Python project shared as a ZIP file within five minutes. find and fix a coding flaw in the next 15 minutes.
This makes it “more likely that he or she will run the package without doing any type of security or even checking the source code,” Zankey said, adding that “it guarantees to the attackers behind this company that the embedded malware will be executed on the developer’s system.”
Some of the aforementioned tests claimed to be a technical interview for financial institutions such as Capital One and Rookery Capital Limited, highlighting how threat actors impersonate legitimate companies in the sector to conduct operations.
It is currently unclear how widespread these campaigns are, although potential targets are scouted and contacted via LinkedIn, as Google-owned Mandiant also recently highlighted.
“Following the initial chat, the attacker sent a ZIP file containing the COVERTCATCH malware disguised as a Python coding issue that compromised the user’s macOS system by downloading second-stage malware stored via Launch Agents and Launch Daemons,” the report said companies. said.
The development is underway as a cyber security company Genians revealed codenamed the North Korean threat Horses is ramping up its attacks against Russia and South Korea using phishing lures that lead to the deployment of AsyncRAT, with overlaps identified by the company under the codename CLOUD#REVERSER (aka PUNK-002).
Some of these attacks also involve the distribution of a new malware called ZURKONa Windows shortcut (LNK) file that serves as the bootloader for the AutoIt version Lilit RAC. The activity was associated with a subcluster tracked as puNK-003 on S2W.
