Software developers are being targeted, once again, by fake job ads. This is according to a new report from cybersecurity experts Securonix. The researchers recently observed a campaign in which Python developers are invited to participate in a job interview process. This process includes, among other things, trial tasks, in which the developers are told to download and run code from GitHub. However, the code carries an obfuscated JavaScript file which, when executed, triggers an infection chain that concludes with the installation of the RAT.
The RAT grants the attackers a number of things, including persistent connections, file system commands, remote command execution capabilities, direct FTP data exfiltration, and clipboard and keystroke logging. Securonix dubbed the campaign “Dev Popper”. While the researchers did not attribute the campaign to any specific threat actor (citing lack of conclusive evidence), Dev Popper does have Lazarus Group’s fingerprints all over it.
Is Lazarus back?
Lazarus is a North Korean state-sponsored threat actor that’s been observed creating fake jobs in the past. In previous examples, the group would create convincing LinkedIn profiles and would reach out to software developers with a background in blockchain development, with great job opportunities. The goal of the attacks was to steal the developers’ cryptocurrencies, one of Lazarus’ hallmarks. However, this is the first time the victims were invited to download and run GitHub code. In earlier examples, the attackers tried to infect devices with malware hiding in .docx files, .pdfs, and other file formats. Late last year, researchers spotted a massive fake job campaign, believed to have affected more than 100,000 people in at least 50 countries. The victims were infected with ransomware, and were extorted for more than $100 million.
Via BleepingComputer
