North Korean hackers are sending out fake job adverts to try and steal victims' data

Fake job ads are back in fashion

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Software developers are once again being targeted by fake job ads. The goal of the newly observed campaign is the same as the ones seen before - to drop remote access trojans (RAT) on compromised endpoints, steal passwords, and other sensitive data.

A report from researchers Securonix describes a recently observed campaign in whichPython developersare invited to participate in a job interview process. This process includes, among other things, trial tasks, in which the developers are told to download and run code from GitHub.

However, the code carries an obfuscated JavaScript file which, when executed, triggers an infection chain that concludes with the installation of the RAT.

Is Lazarus back?

This RAT grants the attackers a number of things, including persistent connections, file system commands, remote command execution capabilities, direct FTP data exfiltration, and clipboard and keystroke logging.

Securonix dubbed the campaign “Dev Popper”.

While the researchers did not attribute the campaign to any specific threat actor (citing lack of conclusive evidence), Dev Popper does have Lazarus Group’s fingerprints all over it.

Lazarus is a North Korean state-sponsored threat actor that’s been observed creating fake jobs in the past. In previous examples, the group would create convincing LinkedIn profiles and would reach out to software developers with a background in blockchain development, with great job opportunities.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The goal of the attacks was to steal the developers’ cryptocurrencies, one of Lazarus’ hallmarks. However, this is the first time the victims were invited to download and run GitHub code. In earlier examples, the attackers tried to infect devices with malware hiding in .docx files, .pdfs, and other file formats.

Late last year, researchers spotted a massive fake job campaign, believed to have affected more than 100,000 people in at least 50 countries. The victims were infected withransomware, and were extorted for more than $100 million.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set