Python Developers Targeted with Malware During Fake Job Interviews

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article:

These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS.

Tags: , , , ,

Posted on September 17, 2024 at 7:02 AM5 Comments

Comments

Clive Robinson September 17, 2024 8:49 AM

I’m surprised this has taken so long to appear as a risk.

This “solve a task we set in your own time” part of the software interview process started quite a while before 2019 but “Lockdown” pushed it to being “standard”.

If you think about it for a moment it’s an obvious “exploit path” to getting a backdoor “Remote Access Trojan”(RAT) onto a developers personal machine(s).

It’s just one reason why for years I’ve talked about the “Two Energy Gapped Computers” or “Strong Segregation Security” architecture. With one computer for “external communications” and one for “Private Work”.

As I’ve indicated in the past my own systems are completely segregated from all external communications, including the power grid and I’ve an established procedure for “gap crossing”.

Yes when I first talked about it many thought I was in effect paranoid, but here we are a decade later and the attackers have “eaten all the juicy low hanging fruit” so they are stretching their necks a little.

However I suspect this is not the first time this sort of attack has been used, certain European Cryptographers have suspicions around a well know European Telecommunications company. But it’s their story to tell.

Jan Doggen September 18, 2024 2:57 AM

Why would any random developer applying for a job be a worthwhile target? Sounds like a big waste of time to me.

Ben Duke September 19, 2024 12:55 AM

@Jan

  • Post job
  • Scan resumes looking for people who are working for an interesting company
  • Interview them

Offer to pay lots and you might get some interesting targets.
Still seems a stretch thou…

Paul Sagi September 19, 2024 4:48 AM

Clive,

I love your approach to network security!
Here in the tropics near the Equator there are plenty of thunderstorms and sometimes power blackouts, power security is a serious matter.
My approach has been to use UPS (uninterruptible power supply) to secure the power supply and to have surge protection also, including on phone lines. I have two UPS, because on network hardware in two locations. All equipment in each location has a common (shared) earth (ground) connection to prevent potentials (voltages) that arise from nearby lightning strikes. 2 decades of that and the only damage was to MOV (metal oxide varistor) surge protection on the phone line. No damage to any modem, router or computer.

Cheers,

Paul

Winter September 19, 2024 11:42 PM

This attack looks to me as an extension of another abuse of job “interviews”: Free consultations.[1]

[1] ‘https://www.forbes.com/sites/lizryan/2017/05/07/dont-let-a-job-interview-turn-into-a-free-consulting-session/

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.