Software developers are being targeted, once again, by fake job ads. The goal of the newly observed campaign is the same as the ones seen before – to drop remote access trojans (RAT) on compromised endpoints, steal passwords, and other sensitive data.
This is according to a new report from cybersecurity experts Securonix. The researchers recently observed a campaign in which Python developers are invited to participate in a job interview process. This process includes, among other things, trial tasks, in which the developers are told to download and run code from GitHub.
However, the code carries an obfuscated JavaScript file which, when executed, triggers an infection chain that concludes with the installation of the RAT.
Is Lazarus back?
This RAT grants the attackers a number of things, including persistent connections, file system commands, remote command execution capabilities, direct FTP data exfiltration, and clipboard and keystroke logging.
Securonix dubbed the campaign “Dev Popper”.
While the researchers did not attribute the campaign to any specific threat actor (citing lack of conclusive evidence), Dev Popper does have Lazarus Group’s fingerprints all over it.
Lazarus is a North Korean state-sponsored threat actor that’s been observed creating fake jobs in the past. In previous examples, the group would create convincing LinkedIn profiles and would reach out to software developers with a background in blockchain development, with great job opportunities.
The goal of the attacks was to steal the developers’ cryptocurrencies, one of Lazarus’ hallmarks. However, this is the first time the victims were invited to download and run GitHub code. In earlier examples, the attackers tried to infect devices with malware hiding in .docx files, .pdfs, and other file formats.
Late last year, researchers spotted a massive fake job campaign, believed to have affected more than 100,000 people in at least 50 countries. The victims were infected with ransomware, and were extorted for more than $100 million.
Via BleepingComputer
More from TechRadar Pro
- This massive new spoofing campaign is targeting job seekers, so watch out
- Here’s a list of the best firewalls around today
- These are the best endpoint security tools right now