Fake recruitment campaign targets developers using trojanized Python packages

The number of attacks looking to compromise developer machines has exploded in recent years. There has been a barrage of malicious packages uploaded to public registries such as PyPi and npm, sophisticated attempts by APT groups to infiltrate popular projects and make malicious code contributions, and more recently fake recruitment campaigns that trick developers into deploying poisoned repositories on their machines as part of coding tests.

The latest such campaign was uncovered by researchers from ReversingLabs and involves malicious code hidden in compiled Python files (PYC) that were part of a fake test project given to job applicants. The researchers found links to an older attack from last year and was attributed to the Lazarus Group, North Korea’s main state-sponsored hacking team.

The social engineering lure and malware delivery technique is also very similar to another campaign attributed to North Korea, which was originally reported by researchers from Securonix in April. In that campaign, fake recruiters asked developers to deploy repositories containing a trojanized Node.js project on their machines. It wouldn’t be unusual if the same attackers have created poisoned projects in different programming languages in order to attract more candidates.

“The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews,” the ReversingLabs researchers said in their report. “Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms.”

Fake instructions to fix a broken password manager

ReversingLabs started their investigation with new samples that were uploaded to the company’s intelligence platform and matched a YARA threat hunting rule that was originally created by Japan’s CERT for another campaign that involved malicious packages uploaded to the Python Package Index (PyPI).

Pivoting from those samples the researchers were able to determine that they were part of an archive with the name ​​Python_Skill_Assessment.zip. This archive also contained a README file that described the contents as a fully functional Password Manager written in Python with nearly all the features such an application should have.

The README file also had a section called “Instructions for the Job Candidate” which asked them to first make sure the package is running successfully on their system and then develop a password backup function for the project. These instructions made it clear to the researchers that the packages were meant as coding tests for job applicants as part of some social engineering attack.

The researcher then found another called Python_Skill_Test.zip that had a different README file identifying it as part of a “Capital One Technical Interview” and which asked candidates to build the project, find a bug and fix it, then rebuild it and show the results. All the steps had time limits on them, creating urgency for the candidate and the instruction to build the project multiple times ensured the malware hidden within would execute on their system.

The researchers also found a sample called RookeryCapital_PythonTest.zip. Both Capital One and Rookery Capital are financial firms, suggesting that the attackers were posing as recruiters for these and potentially other financial companies. This was confirmed when the researchers managed to identify one of the victims from a config file, a developer based in Russia who said he was approached in January on LinkedIn by a recruiter who claimed they worked for Capital One.

“In an email exchange with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a ‘homework task’,” the researchers said. “The developer was asked to ‘find the bug,’ resolve it and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that the developer executed the project on his machine.”

Using PYC files to hide malicious code

Compared to the similar Node.js campaign reported by Securonix, in this case, attackers stored the malicious code in Python bytecode (PYC) files. This is significant because such files are in a binary format instead of plain text like typical source code files, making the malware much harder to spot.

PYC files are generated and cached when the Python interpreter imports or executes a Python script. Since they’re already interpreted (compiled) code, they can later be executed directly by the Python interpreter without reinterpreting the original script. This helps with performance because it has faster execution times, and the most common use for such files is in the distribution of Python modules. PYC files have been used by attackers to hide malicious code before.

In this particular campaign, the malicious code stored inside is further encoded in Base64 and acts as a malware downloader by reaching out to a command-and-control server over HTTP and executing Python commands received from it.

According to ReversingLabs, the code is identical to that observed in the samples from a campaign detected in August 2023 and which involved fake packages uploaded to PyPI impersonating popular modules, including one called VMConnect.

“Campaigns such as this that leverage open source packages and platforms to target developers are a growing trend among sophisticated cybercriminal and nation-state groups,” the researchers said. “North Korea’s Lazarus Group, which is believed to be behind this campaign, is a good indicator of how such threats are playing out. Lazarus is an advanced and very active threat actor focused on financial gain and cryptocurrency theft to benefit the government of North Korea.”

Moreover, Lazarus Group is known for software supply-chain attacks where it compromised software development companies and trojanized their software installers distributed to customers. Developer machines often have access to development infrastructure via SSH keys and other stored credentials, making them a high-value target.

It’s safe to assume that not all of the developers responding to recruitment offers are jobless and that some of them probably already work for various companies while looking for better opportunities. Organizations should make sure machines with access to their development infrastructure and source code, whether belonging to employees or outside contractors, are well monitored and have strong access controls.