Cybersecurity researchers at ReversingLabs have uncovered malicious software packages linked to a campaign known as VMConnect, believed to be orchestrated by the North Korean hacking team Lazarus Group. The campaign, first identified in August 2023, uses fake job interviews to lure developers into downloading and executing malicious code.
The latest samples were traced to GitHub projects associated with previous targeted attacks. Researchers were able to identify one compromised developer and gained insights into an ongoing campaign where attackers pose as employees of major financial services firms.
ReversingLabs’ threat hunting workflows, which include continuous monitoring of previously identified threats, led to the discovery. A YARA rule created by Japan CERT and related to the VMConnect campaign matched against several samples uploaded to ReversingLabs’ Spectra Intelligence platform in June 2024.
The malicious code was found hidden in compiled Python files, making it more difficult to detect. The packages were disguised as coding skills tests linked to job interviews, with names like “Python_Skill_Assessment.zip” and “Python_Skill_Test.zip”.
Instructions in the README files prompted job candidates to find and fix a bug in a password manager application, ensuring the malware execution is triggered regardless of whether the task is completed. The malicious code was contained in altered pyperclip and pyrebase modules, present in both the __init__.py file and its corresponding compiled Python file.
The researchers discovered evidence identifying likely victims of the campaign. One package revealed that the attackers impersonated Capital One, a major US financial services firm. Another archive was named “RookeryCapital_PythonTest.zip,” invoking the name of another financial services company.
Analysis of a .git folder in one of the detected archives led to the identification of a targeted developer. The developer confirmed falling victim to the malicious actor pretending to be a recruiter from Capital One in January 2024.
Despite some of these attacks dating back more than six months, there is evidence that the campaign is ongoing. A newly published GitHub repository named “testing,” nearly identical to earlier archives and containing the same malicious code, was discovered on 31 July 2024.
The correlation between the new project’s publication and ReversingLabs’ contact with a compromised developer suggests the malicious actor may still have access to the developer’s system.
This campaign is part of a growing trend among sophisticated cyber criminal and nation-state groups using the offer of fake job interviews and leveraging open source packages and platforms to target developers. Organisations are advised to be vigilant against such downloads and educate their staff about the risks of executing code from unknown sources.
See also: Roblox developers targeted by year-long malware campaign
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Tags: cyber security, cybersecurity, hacking, infosec, lazarus group, malware, reversinglabs, security