Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

Cybersecurity experts have found a new group of malicious Python packages that target software engineers under the pretext of code inspections.

"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki stated.

The activity has been evaluated to be part of an ongoing effort named VMConnect that initially came to light in August 2023. There are signs that it is the handiwork of the North Korea-backed Lazarus Group.

The use of employment interviews as an infection vector has been embraced extensively by North Korean threat actors, either soliciting unwary developers on sites such as LinkedIn or luring them into downloading malicious packages as part of a stated skills test.

These packages, for their part, have been released directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.

ReversingLabs stated it detected malicious malware contained inside modified versions of genuine PyPI modules such as pyperclip and pyrebase.

"The malicious code is present in both the __init__.py file and its corresponding compiled Python file (PYC) inside the __pycache__ directory of respective modules," Zanki stated.

It's implemented in the form of a Base64-encoded text that obscures a downloader function, which makes contact with a command-and-control (C2) server in order to execute orders received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.

This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."

Some of the aforementioned tests purported to be a technical interview for financial organizations including Capital One and Rookery Capital Limited, emphasizing how the threat actors are mimicking reputable firms in the industry to carry out the operation.

It's presently not known how broad these efforts are, however potential targets are researched and approached via LinkedIn, as recently been noted by Google-owned Mandiant.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the business claimed.

The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).

Some of these assaults also comprise the spread of a new virus named CURKON, a Windows shortcut (LNK) file that acts as a downloader for an AutoIt version of Lilith RAT. The activity has been related to a sub-cluster identified as puNK-003, per S2W.