Cybersecurity researchers have discovered a new set of malicious Python packages targeting software developers under the guise of coding assessments.
“The new samples were traced to a GitHub project that has been linked to previous targeted attacks that lure developers using fake job interviews,” said Carlo Zanchi, a researcher at Reversing Lab.
The activity is assessed to be part of an ongoing campaign called VMConnect, which first came to light in August 2023. There are indications that it is the work of the North Korea-backed Lazarus Group.
North Korean threat actors have widely used job interviews as an infection vector, approaching unsuspecting developers on sites like LinkedIn and enticing them to download malicious packages under the guise of a skills test.
These packages are either published directly to public repositories such as npm or PyPI, or hosted in a GitHub repository that you control.
ReversingLabs says it has found malicious code embedded within modified versions of legitimate PyPI libraries, including pyperclip and pyrebase.
“The malicious code is present in both the __init__.py files and their corresponding compiled Python files (PYC) in the __pycache__ directory of each module,” Zanki said.
This is implemented in the form of a Base64 encoded string that hides the downloader functionality to establish a connection with a command and control (C2) server to execute commands received in response.
In one example coding challenge identified by a software supply chain company, threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in a ZIP file format within five minutes, and then find and fix a coding flaw within the next 15 minutes.
This “increases the likelihood of the packages being executed without any kind of security or source code review,” Zanke said, adding that “this gives the bad actors behind this campaign confidence that the embedded malware will be executed on the developer’s system.”
Some of the aforementioned tests purported to be technical interviews for financial institutions such as Capital One and Rookery Capital Limited, highlighting threat actors conducting operations by impersonating legitimate companies in the industry.
It’s unclear at this point how widespread these campaigns are, but as Google-owned Mandiant recently revealed, they are also using LinkedIn to locate and contact potential targets.
“After the initial chat conversation, the attackers compromised the user’s macOS system by sending a ZIP file containing the COVERTCATCH malware disguised as a Python coding challenge and downloading second-stage malware that persists via a launch agent and launch daemon,” the company said.
The development comes after cybersecurity firm Genians revealed that a North Korean threat actor codenamed Konni has been stepping up attacks against Russia and South Korea using spear-phishing baits that have led to the deployment of AsyncRAT, which has been seen to overlap with a campaign codenamed CLOUD#REVERSER (aka puNK-002).
Some of these attacks also involve the distribution of a new malware called CURKON, a Windows shortcut (LNK) file that acts as a downloader for an AutoIt version of the Lilith RAT. According to S2W, this activity is associated with a subcluster being tracked as puNK-003.
