North Korean Hacking Group ‘Lazarus’ Is Targeting Python Developers with Fake Job Interviews

by
Krishi Chowdhary
from Techreport on (#6QPYJ)
Untitled-design-1_cr-1200x675.jpg
  • ReversingLabs discovered a resurgence of the fake job" campaign launched by a North Korean hacker group called Lazarus.
  • The group is targeting Python developers with a fake job posting promising a lucrative salary.
  • During the coding tests, they hand the candidates an instruction file containing malware.

Untitled-design-1_cr-300x169.jpg

The infamous Korean Hacker group Lazarus' is targeting Python developers with a fake coding test for password managers.

It's worth noting that this group has been known to target victims through fake job advertisements for a long time. What they do is create a fake LinkedIn account, post fake job vacancies, and entice unsuspecting users with high packages.

Developers are their most common victims. Often during interviews, in the name of testing their skills, developers are asked to do coding projects and are sent some instruction files. However, what these candidates don't know is that these instruction files are often malicious.

Related: North Korea targets developers with the DEV#POPPER campaign again

About This Campaign

The campaign was first discovered by ReversingLabs, which has been tracking the group for years.The modus operandi of the group is pretty similar to its previous campaigns: the group impersonates Capital One Bank on LinkedIn and targets developers looking for a new job.

Once they find a victim, they ask to test their skills. The so-called test involves downloading and installing a password manager and looking for bugs in it. Once the job is done, the candidate is asked to share proof of their work through a screenshot.

Nothing suspicious so far, right? However, when the candidates click on the README instruction file, it executes a base64 obfuscated module hidden in the'_init_.py' files of the pyperclip' and pyrebase' libraries. This obfuscated string is a malware downloader that connects with a command and control (C2) server for commands. It's also capable of running additional payloads.

To prevent the candidates from seeing through their ruse, the group has also imposed a time limit on the test. It has to be done within 30 minutes: five minutes to create the project, 15 minutes to find and apply the fix, and the last 10 minutes to report back to the recruiter.

The time limit is designed to make it seem like it will help to find the best-suited candidate, but in reality, it just ensures that they don't have enough time to understand what's actually going on.

What Should Job Seekers Do Now?

As per ReversingLabs, the malware is active as of July 31. Hence, people looking for a job on LinkedIn are advised to be wary of every job post they come across, especially the ones that seem too good to be true.

Make sure you directly reach out to the company and confirm whether they're actually hiring or not.

In case you have to execute a code for testing (which is common in developer interviews), do it in a safe environment like virtual machines or sandboxing applications.

The post North Korean Hacking Group Lazarus' Is Targeting Python Developers with Fake Job Interviews appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments