A report from ReversingLabs has revealed that the North Korean hacker group Lazarus is using a fake password manager coding test to target Python developers. The attackers pose as recruiters and offer job candidates an enticing employment package, likely to attract their attention.
The hackers host the malicious coding projects on GitHub, where victims find README files with instructions on how to complete the test. The directions are designed to provide a sense of professionalism and legitimacy, as well as a sense of urgency.
According to the report, Lazarus actively approaches their targets over LinkedIn, a documented tactic for the group. The hackers direct candidates to find a bug in a password manager application, submit their fix, and share a screenshot as proof of their work.
The README file triggers the execution of a base64 obfuscated module hidden in the ‘_init_.py’ files of the ‘pyperclip’ and ‘pyrebase’ libraries. This obfuscated string is a malware downloader that contacts a command and control (C2) server and awaits for commands. Fetching and running additional payloads is within its capabilities.
The report suggests that the campaign is still active, with evidence found on July 31. It is believed to be ongoing. Software developers receiving job application invites from users on LinkedIn or elsewhere should be wary about the possibility of deception and take into consideration that the profiles contacting them could be fake.
Before receiving an assignment, it is recommended to verify the other person’s identity and independently confirm with the company that a recruitment round is indeed underway. Additionally, it is advised to scan or carefully review the given code and only execute it in safe environments such as virtual machines or sandboxing applications.
Source: https://www.bleepingcomputer.com/news/security/fake-password-manager-coding-test-used-to-hack-python-developers/