North Korean hackers have devised a new means of stealing crypto from software engineers or developers seeking jobs on job search platforms.
According to a tweet by security firm ESET on 20 February, the hackers pose as recruiters to get the attention of software engineers and developers to steal crypto assets from them as a primary purpose.
How it works
The hackers pose on job search platforms such as LinkedIn as recruiters for companies seeking freelance software engineers or developers in the crypto or finance industry.
Unsuspecting job seekers may seek them out or they may reach out to the job seeker with an offer.
They’ll then suggest that the applicant carry out a test project and then serve them with software projects that conceal infostealing malware in a process called DeceptiveDevelopment.
The DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms.
Once the candidate downloads and executes the trojanized files, their computer gets compromised with the operation’s first-stage malware, BeaverTail.
Victims of these hackers are scattered all over the world, with different operating systems. The security firm wrote:
“We have observed hundreds of different victims around the world, using all three major operating systems – Windows, Linux, and macOS. They ranged from junior developers just starting their freelance careers to highly experienced professionals in the field.”
History
ESET first observed this DeceptiveDevelopment campaign in early 2024, when they discovered trojanized projects hosted on GitHub with malicious code hidden at the end of long comments to hide the codes.
The projects deliver the BeaverTail and InvisibleFerret malware which steal any crypto assets and other personal information in what may be an espionage.
Such attacks have become quite common on GitHub. Techgaged reported that one injection tool has been identified that steals WiFi passwords and other information on Windows and Linux computers
ReadNext
