Lazarus Hackers Pose as Recruiters to Target Python Developers with Malware

Introduction

A recent cyber campaign has emerged, targeting Python developers with fake coding tests designed to compromise their systems. Members of the infamous North Korean hacker group, Lazarus, are posing as recruiters and tricking developers into downloading malware disguised as coding projects. These attacks, known as the VMConnect campaign, were first detected in August 2023 and have since evolved, exposing software developers to serious online risks. This blog will provide an in-depth look at how Lazarus hackers are deceiving victims and offer tips on how to avoid falling prey to such schemes.

The VMConnect Campaign: How It Works

The Lazarus group, known for its sophisticated cyberattacks, is using Python packages uploaded to the PyPI repository to deliver malware. Developers, often seeking job opportunities, are directed to fake GitHub repositories, where they are asked to complete a coding test. These repositories are designed to look professional, with README files outlining instructions and a sense of urgency to legitimize the assignment.

In most cases, the group impersonates large, reputable U.S. banks like Capital One to attract unsuspecting developers. According to cybersecurity firm ReversingLabs, which has been tracking this campaign for over a year, Lazarus uses LinkedIn to contact developers, furthering the illusion of legitimacy. The hackers offer enticing job offers to lure their targets, who are then directed to work on malicious projects.

The "Find the Bug" Challenge

Once a target developer engages with the hackers, they are tasked with finding a bug in a Python-based password manager application. The goal appears simple: identify and fix the bug, submit the fix, and send back a screenshot as proof of completion.

However, this seemingly harmless project is laced with dangerous malware. The README file instructs the developer to run a Python script named "PasswordManager.py", which, when executed, triggers a hidden Base64 obfuscated module within the __init__.py files of two widely used Python libraries: pyperclip and pyrebase. This malicious string contacts a command and control (C2) server, allowing the hackers to deliver further payloads and gain control of the infected system.

Urgency: The Hacker's Weapon

Lazarus adds another layer of deception by introducing tight time constraints. Developers are given only five minutes to set up the project, 15 minutes to fix the bug, and 10 minutes to submit the final result. This artificially created urgency aims to pressure developers into skipping important security checks, such as reviewing the code for malicious content or running it in a sandboxed environment. By imposing a sense of urgency, Lazarus ensures that victims act quickly, overlooking potential red flags.

Ongoing Threats and Precautions

ReversingLabs discovered evidence of the VMConnect campaignb still being active as recently as July 2024. The campaign is likely ongoing, with hackers continuing to target developers through job invitations on platforms like LinkedIn.

For developers, caution is crucial. Receiving an unsolicited job application or coding test from an unknown recruiter should raise suspicions. Before engaging, verify the authenticity of the recruitment offer by contacting the organization directly or cross-checking the recruiter's credentials.

If you're given code to review or fix, always perform a thorough scan and consider executing it in a virtual machine or using sandboxing software to isolate any potential threats. It’s vital to ensure your system is safe from malicious actors posing as recruiters.

Conclusion

The Lazarus group's tactics are growing more sophisticated as they exploit the trust of developers in the recruitment process. By impersonating reputable companies and pressuring victims to act quickly, these hackers aim to install malware and gain control over developers' systems. Python developers should remain vigilant, especially when engaging with unfamiliar coding projects or job offers.

By employing strategies such as running code in secure environments, cross-verifying recruitment opportunities, and adopting tools for stolen credentials detection, digital threat scoring, and dark web surveillance, developers can protect themselves from falling victim to such cyberattacks. Stay informed and cautious—cyber threats like these can appear where you least expect them.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.