Lazarus Group Targets Python Developers with Fake Coding Tests

By Ava McKinneyOnline Safety

Lazarus Group Targets Python Developers with Fake Coding Assignments

Security analysts at ReversingLabs are warning that members of the North Korean hacker group Lazarus are impersonating recruiters and offering Python developers fake coding tests, supposedly related to building a password manager. In reality, there is no password manager, and these assignments contain malware.

According to researchers, these attacks are part of the VMConnect campaign, first discovered in August 2023. At that time, attackers also targeted developers, but used malicious Python packages uploaded to the PyPI repository. Now, according to a ReversingLabs report, the Lazarus group is hosting their malicious projects on GitHub, where victims can also find README files with instructions for completing the “test assignment.” The instructions are crafted to appear professional, legitimate, and to create a sense of urgency.

How the Attack Works

The attackers pose as recruiters from major American banks, including Capital One and Rookery Capital Limited, to attract candidates. They likely offer appealing job conditions and benefits. Victims reported to researchers that Lazarus members usually contact their targets via LinkedIn.

As part of the test assignment, the attackers ask victims to find a bug in a fake password manager, submit their solution, and provide screenshots as proof of concept. The README file for this “test” instructs victims to first run the malicious password manager application (PasswordManager.py) on their system, and then begin searching for and fixing bugs.

Malware Delivery and Social Engineering

If the user doesn’t notice anything suspicious and runs the file, it executes an obfuscated base64 module hidden in the _init_.py files of the pyperclip and pyrebase libraries. The obfuscated string acts as a malware loader, which connects to its command-and-control server and waits for further instructions.

To discourage users from checking the project files for malware or obfuscated code, the README instructions require the assignment to be completed quickly: 5 minutes to build the project, 15 minutes to implement the patch, and another 10 minutes to send the final result to the “recruiter.”

While this is supposedly to test the candidate’s experience with Python projects and GitHub, in reality, the hackers are simply pressuring users to skip any security checks that might reveal the malicious code.

Ongoing Threat

Researchers note that this campaign was active as of July 31, 2024, and remains ongoing.

Leave a Reply