Lazarus Group has been observed continuing its VMConnect campaign by targeting developers with new malicious software packages on open source repositories, according to ReversingLabs.
The researchers said that the North Korean group posed as employees of major financial services firm Capital One, using fake job interviews to lure developers into downloading the malware.
The malware is designed to install malicious downloaders on developer systems capable of fetching second and third stage malware, such as backdoors and infostealers.
Attackers Masquerading as Capital One
The attackers impersonated staff at US financial services company Capital One to send developers “test” packages through links in LinkedIn direct messages in the recently observed campaign.
These links took the targets to the GitHub repository as a “homework task.”
The files in the repository purported to be coding skills tests linked to job interviews. For example, the researchers observed archives with names like Python_Skill_Assessment.zip and Python_Skill_Test.zip.
The archives contained a README file with instructions for the developer, with a timeframe set for completing the assignment.
“It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more likely that he or she would execute the package without performing any type of security or even source code review first. That ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer’s system,” the researchers said.
No tags.
