Watch out developers: Lazarus Group uses fake coding tests for malware

September 12, 2024
1 min read



TLDR:

Researchers have discovered a new set of malicious Python packages targeting software developers, part of an ongoing campaign called VMConnect by Lazarus Group. Fake coding tests are used to trick developers into downloading malware-laced packages by creating a false sense of urgency. The malware is hidden in legitimate PyPI libraries and connects to a command-and-control server to execute commands.

Full Article:

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments. The activity, part of an ongoing campaign dubbed VMConnect and attributed to the Lazarus Group, uses fake job interviews to lure developers into downloading rogue packages.

The malware is embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase, hidden in Base64-encoded strings within __init__.py files. These packages are published on public repositories like npm and PyPI, or hosted on GitHub repositories controlled by the threat actors.

In one instance, developers were tricked into building a Python project shared as a ZIP file within five minutes and finding and fixing a coding flaw in the next 15 minutes. This sense of urgency increases the likelihood that the malware would be executed without a security review.

The Lazarus Group has been using job interviews as an infection vector, either approaching developers on platforms like LinkedIn or tricking them into downloading malicious packages. The threat actors also impersonate legitimate companies like Capital One to carry out their operations.

In another development, cybersecurity company Genians revealed that the North Korean threat actor Konni is intensifying attacks against Russia and South Korea, using spear-phishing lures that lead to the deployment of the AsyncRAT malware. Additionally, a new malware called CURKON has been identified as part of these attacks.

Overall, the use of fake coding tests and job interviews as a means to spread malware highlights the evolving tactics of threat actors in the cybersecurity landscape. It is crucial for developers to practice caution and perform thorough security reviews before downloading and executing any code.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and