Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X or Mastodon.

Cybersecurity researchers at ReversingLabs have uncovered malicious software packages linked to a campaign known as VMConnect, believed to be orchestrated by the North Korean hacking team Lazarus Group. The campaign, first identified in August 2023, uses fake job interviews to lure developers into downloading and executing malicious code.

The latest samples were traced to GitHub projects associated with previous targeted attacks. Researchers were able to identify one compromised developer and gained insights into an ongoing campaign where attackers pose as employees of major financial services firms.

ReversingLabs’ threat hunting workflows, which include continuous monitoring of previously identified threats, led to the discovery. A YARA rule created by Japan CERT and related to the VMConnect campaign matched against several samples uploaded to ReversingLabs’ Spectra Intelligence platform in June 2024.

The hidden malicious code was found in compiled Python files, presenting a significant challenge for detection. The files were camouflaged as coding skills assessments related to job interviews, bearing names like “Python_Skill_Assessment.zip” and “Python_Skill_Test.zip”.

The README files within these packages instructed job seekers to identify and resolve an issue in a password management app, inadvertently facilitating the activation of the malware, whether or not the problem was solved. This malevolent code had been integrated into altered versions of the pyperclip and pyrebase modules, found in both the __init__.py file and its compiled counterpart.

Teasing out the identities of potential victims, researchers stumbled upon clues. One particular package mimicked Capital One, a prominent American financial institution. Another package was labeled “RookeryCapital_PythonTest.zip,” alluding to yet another financial entity.

The investigation of a detected .git folder in one archive culminated in the pinpointing of a developer, who later acknowledged being duped by someone posing as a recruiter from Capital One in January 2024.

Despite some of these attacks dating back more than six months, there is evidence that the campaign is ongoing. A newly published GitHub repository named “testing,” nearly identical to earlier archives and containing the same malicious code, was discovered on 31 July 2024.

The correlation between the new project’s publication and ReversingLabs’ contact with a compromised developer suggests the malicious actor may still have access to the developer’s system.

This campaign is part of a growing trend among sophisticated cyber criminal and nation-state groups using the offer of fake job interviews and leveraging open source packages and platforms to target developers. Organisations are advised to be vigilant against such downloads and educate their staff about the risks of executing code from unknown sources.

See also: Roblox developers targeted by year-long malware campaign

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.