North Korean Lazarus hackers are using a fake coding test to steal passwords

North Korean state-sponsored threat actors Lazarus Group is evolving its “fake job” hacking campaign, researchers have warned.

Lazarus has been creating fake LinkedIn accounts and posting fake job ads across the internet for years. They offer their victims, often developers, enticing packages, high salaries, and plenty of perks. But instead of getting the job, after a few interview rounds, the only thing these people would get is malware, often from .PDF files posing as job details and such.

Now, cybersecurity researchers from ReversingLabs are saying that Lazarus is still going about the same thing, but now targeting Python developers with a fake coding test project.

Moving the WHOIS server

Apparently, the group would still start the same way – by impersonating someone on LinkedIn. This time around, it is the Capital One bank. Then, they would host the malware on GitHub, masquerading it as a password manager project. After that, they would find suitable victims, and at one point – ask to test their skills.

The “test” includes downloading and installing the password manager, and then “hunting” for bugs. The entire thing must be finished within half an hour. The crooks would argue that the limit prevents the candidates from cheating, but ReversingLabs says it’s to prevent the victims from spotting the ruse and acting on it.

The malware acts as a downloader, granting the attackers the ability to deploy secondary malicious code, depending on the compromised environment. The campaign is dubbed “VMConnect campaign” and it’s been active since August 2023, more than a year now. ReversingLabs believe the campaign is still ongoing.

North Koreans are usually targeting developers working on cryptocurrency projects, as that allows them to steal people’s money and use it to fund the state apparatus and the country’s weapons program. One of Lazarus’ biggest heists netted them more than half a billion dollars.

Via BleepingComputer

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/CBHUAsfrHYAci3MTWZBsgN-1200-80.png

Source link