The article reports on a concerning trend where North Korean cybercriminals, under the operation known as DeceptiveDevelopment, are preying on freelance developers globally. These attackers pose as legitimate recruiters and entice candidates to complete coding tests involving software hosted on platforms like GitHub. Unfortunately, these coding tasks contain trojanized files that deploy infostealer malware, such as BeaverTail and InvisibleFerret, designed to steal sensitive information, particularly from cryptocurrency projects. Hundreds of victims, from junior to experienced developers, have fallen prey to this scheme, demonstrating the critical importance of vigilance in online job searches.
As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms.
Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim's computer gets compromised with the operation's first-stage malware, BeaverTail.
The hackers are mostly stealing crypto wallets, though there could be cyberespionage involved as well as they grab login information from browsers and password managers.
DeceptiveDevelopment...is one in a broad array of money-making operations run by threat actors aligned with the North Korean regime that involves fake job offers and IT workers.
Collection
[
|
...
]