North Korean Lazarus hackers are using a fake coding test to steal passwords

Now, cybersecurity researchers from ReversingLabs are saying that Lazarus is still going about the same thing, but now targeting Python developers with a fake coding test project.

Moving the WHOIS server

Apparently, the group would still start the same way - by impersonating someone on LinkedIn. This time around, it is the Capital One bank. Then, they would host the malware on GitHub, masquerading it as a password manager project. After that, they would find suitable victims, and at one point - ask to test their skills.

The “test” includes downloading and installing the password manager, and then “hunting” for bugs. The entire thing must be finished within half an hour. The crooks would argue that the limit prevents the candidates from cheating, but ReversingLabs says it’s to prevent the victims from spotting the ruse and acting on it.

The malware acts as a downloader, granting the attackers the ability to deploy secondary malicious code, depending on the compromised environment. The campaign is dubbed “VMConnect campaign” and it’s been active since August 2023, more than a year now. ReversingLabs believe the campaign is still ongoing.

North Koreans are usually targeting developers working on cryptocurrency projects, as that allows them to steal people’s money and use it to fund the state apparatus and the country’s weapons program. One of Lazarus’ biggest heists netted them more than half a billion dollars.

Via BleepingComputer

More from TechRadar Pro

• North Korean hackers are targeting aerospace - Lazarus Group tricks employees into installing malware themselves
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now