ESET researchers have uncovered a series of malicious activities orchestrated by a North Korea-aligned group known as DeceptiveDevelopment, active since early 20241.
The cybercriminals pose as company recruiters, enticing freelance software developers with fake employment offers.
As part of the elaborate ruse, targets are asked to complete coding tests, such as adding features to existing projects, with the necessary files hosted on private GitHub repositories.
Unbeknownst to the candidates, these files are trojanized, and upon execution, the victim’s computer is compromised with the operation’s first-stage malware, BeaverTail.
DeceptiveDevelopment Targets Freelance Developers with Trojanized Projects
DeceptiveDevelopment employs spearphishing tactics on job-hunting and freelancing sites, primarily targeting software developers involved in cryptocurrency and decentralized finance projects.
The attackers do not discriminate based on geographical location, aiming to compromise as many victims as possible to maximize their chances of extracting funds and information.
The group has successfully infiltrated Windows, Linux, and macOS systems.
Initial access is gained through fake recruiter profiles on social media, similar to the Lazarus group’s Operation DreamJob, but instead of targeting defense and aerospace engineers, DeceptiveDevelopment focuses on freelance software developers.
North Korea-aligned activity cluster aims to steal cryptocurrency and login information
According to ESET researchers, the attackers often employ a clever trick to conceal their malicious code.
They insert it into a benign component of the project, typically within backend code unrelated to the assigned task, appending it as a single line behind a lengthy comment, effectively moving the code off-screen.
The primary malware families used in these attacks are BeaverTail and InvisibleFerret.
BeaverTail, an infostealer and downloader, extracts browser databases containing saved logins and acts as a downloader for the second stage, InvisibleFerret.
InvisibleFerret is a modular, Python-based malware with spyware and backdoor components.
It can also download legitimate remote management software, such as AnyDesk, for post-compromise activities.
Attribution of DeceptiveDevelopment to North Korea is based on connections between GitHub accounts controlled by the attackers and accounts containing fake CVs used by North Korean IT workers.
These individuals apply for jobs in foreign companies under false identities to generate income for the regime.
The tactics, techniques, and procedures (TTPs) used by DeceptiveDevelopment are also similar to those of other known North Korea-aligned operations, such as Moonstone Sleet and Lazarus’s DreamJob campaign.
Despite their efforts, the threat actors often exhibit a lack of attention to detail, such as failing to remove development notes or commented-out local IP addresses from their code.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting -Â Register Here
