Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.
“The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews,” ReversingLabs researcher Karlo Zanki said.
The activity has been assessed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.
The use of job interviews as an infection vector has been adopted widely by North Korean threat actors, either approaching unsuspecting developers on sites such as LinkedIn or tricking them into downloading rogue packages as part of a purported skills test.
These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.
ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.
“The malicious code is present in both the __init__.py file and its corresponding compiled Python file (PYC) inside the __pycache__ directory of respective modules,” Zanki said.
It’s implemented in the form of a Base64-encoded string that obscures a downloader function that establishes contact with a command-and-control (C2) server in order to execute commands received as a response.
In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.
This makes it “more likely that he or she would execute the package without performing any type of security or even source code review first,” Zanki said, adding “that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer’s system.”
Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation.
It’s currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.
“After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user’s macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons,” the company said.
The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).
Some of these attacks also entail the propagation of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, per S2W.
