Fake Python Coding Tests Installed Malicious Software Packages From North Korea (scmagazine.com)
(Sunday September 15, 2024 @03:34AM (EditorDavid)
from the passing-is-failing dept.)
- Reference: 0174997541
- News link: https://developers.slashdot.org/story/24/09/15/0030229/fake-python-coding-tests-installed-malicious-software-packages-from-north-korea
- Source link: https://www.scmagazine.com/news/lazarus-group-tricks-developers-to-load-malware-via-fake-recruiting-tests
"New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware," [1]reports SC magazine :
> Researchers at [2]ReversingLabs explained in a September 10 blog post that the scheme was a follow-on to the [3]VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
More [4]details from The Hacker News
> These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as [5]pyperclip and [6]pyrebase ... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.
>
> In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
[7] Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to [8]PEP 668 which enforces virtual environments for non-system wide Python installs."
More from [9] The Hacker News
> Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.
[1] https://www.scmagazine.com/news/lazarus-group-tricks-developers-to-load-malware-via-fake-recruiting-tests
[2] https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
[3] https://www.scmagazine.com/news/vmconnect-campaign-linked-to-north-korean-lazarus-group
[4] https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
[5] https://pypi.org/project/pyperclip/
[6] https://pypi.org/project/pyrebase/
[7] https://www.tomshardware.com/tech-industry/cyber-security/python-developers-targeted-by-north-korean-lazarus-group-with-fake-jobs-and-malware-disguised-as-coding-tests
[8] https://peps.python.org/pep-0668/
[9] https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
> Researchers at [2]ReversingLabs explained in a September 10 blog post that the scheme was a follow-on to the [3]VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
More [4]details from The Hacker News
> These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as [5]pyperclip and [6]pyrebase ... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.
>
> In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
[7] Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to [8]PEP 668 which enforces virtual environments for non-system wide Python installs."
More from [9] The Hacker News
> Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.
[1] https://www.scmagazine.com/news/lazarus-group-tricks-developers-to-load-malware-via-fake-recruiting-tests
[2] https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
[3] https://www.scmagazine.com/news/vmconnect-campaign-linked-to-north-korean-lazarus-group
[4] https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
[5] https://pypi.org/project/pyperclip/
[6] https://pypi.org/project/pyrebase/
[7] https://www.tomshardware.com/tech-industry/cyber-security/python-developers-targeted-by-north-korean-lazarus-group-with-fake-jobs-and-malware-disguised-as-coding-tests
[8] https://peps.python.org/pep-0668/
[9] https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html
wait I'm confused (Score:2)
by SeaFox ( 739806 )
I thought the North Koreans were the ones taking the remote-work jobs. So wouldn't think mean they were just jacking themselves?
well, go get them (Score:2)
by BrendaEM ( 871664 )
going to just sit this one out?
And that was the test (Score:2)
> test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware
You imported the module without checking it out? No job for you.
Re: (Score:2)
It's pretty much the standard for developers these days. Did you check the signature? Did you at least check the checksum?
Most have no idea what I am talking about.
It's a general tendency nowadays to blindly believe in technology. We've been infiltrated so even people in the field act like outsiders average citizens.
Re: (Score:2)
This has been a thing for decades. People have been obtaining packages and throwing them on their system, not even considering the source. Most of the time, no harm, no fowl, but you do get the Trojan horse. It would be nice if people ran a "rpm -K" or the Debian/Ubuntu equivalent, or even better a GPG scan, after checking keys, making sure the key is genuine and all that.
Re: (Score:2)
> no harm, no fowl
Your word choice is rather foul.
Re: (Score:2)
Well he used the "rpm -K" term. I can't tell for sure but I am an old slackpkg fan although nowadays I have become accustomed to use apt/apt-get/aptitude more often.
I guess I am lucky to have gotten to touch redhat systems seldom but I have occasionally.
My all time favorite will always be IBM's smitty!
Even worse with javascript (Score:2)
For a long time now people have been writing web code that just blindly downloads js modules from randomsite.com with zero checking. At least with a manually downloaded module with python the option is there to check it with the checksum but the web offers no such protection - its take your chances and hope your browser sandbox holds up if some malicious actor has poisoned the repository (which IIRC happened not too long ago to some popular library).