Software developers are once again being targeted by fake job advertisements. The goal of the newly observed campaign is the same as those previously seen: deploy remote access trojans (RAT) on compromised endpoints, steal passwords and other sensitive data.
This is evident from a new report by cybersecurity experts Securonix. The researchers recently observed a campaign inviting Python developers to participate in a job interview. This process includes pilot tasks, where developers are told to download code from GitHub and run it.
However, the code contains an obfuscated JavaScript file that, when executed, triggers an infection chain that ends with the installation of the RAT.
Is Lazarus back?
This RAT gives the attackers a number of things, including persistent connections, file system commands, remote command execution capabilities, direct FTP data exfiltration, and clipboard and keystroke logging.
Securonix called the campaign “Dev Popper”.
Although researchers have not attributed the campaign to any specific threat actor (citing a lack of conclusive evidence), Dev Popper does have the Lazarus Group fingerprints all over him.
Lazarus is a North Korean state-sponsored threat actor that has been observed in the past to create fake jobs. In previous examples, the group would create compelling LinkedIn profiles and reach software developers with a background in blockchain development, with great job opportunities.
The aim of the attacks was to steal the developers’ cryptocurrencies, one of the hallmarks of Lazarus. However, this is the first time that victims were invited to download and run GitHub code. In previous examples, the attackers attempted to infect devices with malware hiding in .docx files, .pdfs, and other file formats.
Late last year, researchers uncovered a massive fake jobs campaign believed to have affected more than 100,000 people in at least 50 countries. The victims were infected with ransomware and extorted for more than $100 million.
Through BleepingComputer