Beware of Fake Job Interview Challenges Targeting Developers to Deliver Malware

A new wave of cyberattacks, dubbed “DeceptiveDevelopment,” has been targeting freelance developers through fake job interview challenges, according to ESET researchers.

These attacks, linked to North Korea-aligned threat actors, involve malicious software disguised as coding tasks or projects.

The primary objective is to steal sensitive information, including cryptocurrency wallets and login credentials stored in browsers and password managers.

Since early 2024, attackers have posed as recruiters on platforms like LinkedIn, Upwork, and Freelancer.com.

They approach developers with enticing job offers and provide coding assignments hosted on private repositories.

These repositories contain trojanized projects that deploy malware upon execution.

The initial malware, named “BeaverTail,” acts as an infostealer and downloader, paving the way for a second-stage malware called “InvisibleFerret.”

Attack Techniques and Malware Functionality

The attackers use sophisticated tactics to conceal their malicious intent.

For instance, they embed harmful code at the end of long comments in project files, making it difficult for victims to detect without enabling word wrap in their code editors.

In some cases, victims are directed to download trojanized conferencing software from cloned websites resembling legitimate platforms like MiroTalk.

The two primary malware families employed in these attacks are:

1. BeaverTail: This malware extracts saved credentials from browsers and cryptocurrency wallets. It also acts as a downloader for the second-stage payload.
2. InvisibleFerret: A modular Python-based malware capable of spying on victims, exfiltrating data, and deploying remote access tools like AnyDesk for persistent control.

InvisibleFerret includes advanced capabilities such as keylogging, clipboard data theft, and file exfiltration.

It targets all major operating systems Windows, Linux, and macOS making it a versatile tool for cyberespionage and financial theft.

Global Impact

The campaign has affected hundreds of developers worldwide, ranging from junior freelancers to seasoned professionals.

While the attackers primarily focus on cryptocurrency-related projects, their reach extends across various domains.

Conversations with victims have predominantly been in English, though translation tools may be used for other languages.

ESET researchers attribute this activity cluster to North Korea with high confidence due to overlaps with known tactics used by groups like Lazarus.

Connections between GitHub accounts linked to DeceptiveDevelopment and profiles associated with North Korean IT workers further support this attribution.

Developers are urged to exercise caution when engaging with recruiters online.

Suspicious job offers involving private repositories or requests to execute unknown code should be thoroughly vetted.

Using updated antivirus software and enabling advanced security features can help mitigate risks.

As cybercriminals continue to innovate their techniques, vigilance remains crucial in safeguarding sensitive data against such deceptive schemes.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here