North Korean Job Scam Targets Developers
- Freelance developers across the globe are being targeted by North Korean cybercriminals posing as job recruiters.
- The unknown actors behind DeceptiveDevelopment primarily target developers working on Windows, Linux, and macOS, with a focus on cryptocurrency and decentralized finance projects.
- “As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project,...
North Korean Hackers Target Freelance Developers with Fake Job Scams
Table of Contents
- North Korean Hackers Target Freelance Developers with Fake Job Scams
- North Korean Hackers Target Freelance Developers with Fake Job Scams
- What is the “DeceptiveDevelopment” scam?
- Which malware types are used in these scams?
- How do the hackers target and recruit victims?
- What is the background of these North Korean cybercriminal operations?
- How were the trojanized projects discovered and spread?
- Are there new methods being employed in these scams?
- What other compromise vectors are used in these scams?
- What precautions should freelance developers take?
- Are these scams only a threat to freelance developers?
- Can companies do anything to protect their employees?
Freelance developers across the globe are being targeted by North Korean cybercriminals posing as job recruiters. These bad actors lure developers into running software jobs that actually compromise their systems with infostealer malware. Hundreds of developers, ranging from junior programmers to seasoned professionals, have fallen victim to this scam over the past year, an operation that cybersecurity firm ESET has dubbed “DeceptiveDevelopment.”
The unknown actors behind DeceptiveDevelopment primarily target developers working on Windows, Linux, and macOS, with a focus on cryptocurrency and decentralized finance projects. The hackers are predominantly stealing crypto wallets, though there could also be cyberespionage involved as they grab login information from browsers and password managers.
“As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms,” the researcher wrote. “Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim’s computer gets compromised with the operation’s first-stage malware, BeaverTail.”
BeaverTail, a downloader and infostealer malware, is one of two tools used by the bad actors. The other is InvisibleFerret, another infostealer and remote access trojan (RAT).
Long History of IT Worker Scams
DeceptiveDevelopment, active since at least November 2023, is part of a broader array of money-making operations run by threat actors aligned with the North Korean regime. These operations involve fake job offers and IT workers, either luring them into similar schemes or convincing IT companies to inadvertently hire one of their operatives as a remote IT worker.
Many of these and other threat campaigns North Korean operatives run are aimed at sending back stolen information and money that allows the rogue nation to bypass international sanctions and help pay for its nuclear and other weapons programs. They’ve been successful, having stolen $1.34 billion in crypto last year, according to blockchain analysis firm Chainalysis.
ESET first came across DeceptiveDevelopment after discovering trojanized projects in GitHub. The projects hid the malicious code at the end of long comments, which ensured the code stayed off the screen. They deliver both BeaverTail and Invisible Ferret and are connected to a command-and-control (C2) server.
The bad actors use fake recruiter profiles – either profiles they created or ones of existing people they modified – on social media, including LinkedIn, Upwork, Freelancer.com, and Crypto Jobs List. The tactics echo another fake job offer scam, Operation DreamJob, run by the high-profile North Korean Lazarus Group and targeting defense and aerospace engineers.
“The most commonly observed compromise vector consists of the fake recruiter providing the victim with a trojanized project under the guise of a hiring challenge or helping the ‘recruiter’ fix a bug for a financial reward,” the researcher wrote.
Victims accessed project files either through a file transfer on the site or via a link to a repository, including GitHub, GitLab, or Bitbucket, and after downloading the files, are asked to complete tasks, such as add features or fix bugs, and report back to the recruiter. They also told to build and execute the project to test it, which launched the first compromise.
The repositories used are private and the recruiters ask victims to provide their account ID or email address to access them.
The trojanized projects are either hiring challenges, crypto projects, games with blockchain functionality, and gambling, also with blockchain and crypto features.
Malicious Code in Conferencing Software
Another compromise vector observed consisted of the fake recruiter inviting the victim to a job interview using an online conferencing platform and providing a link to a website from which the necessary conferencing software can be downloaded. The website is usually a clone of an existing conferencing platform’s website.
BeaverTail steals login information from browser databases and downloads InvisibleFerret, a Python-based malware that includes spyware and backdoor components. It also can download legitimate AnyDesk remote management and monitoring software. Both have been documented by other cybersecurity firms, including Zscaler, Palo Alto Networks’ Unit 42, and Group-IB.
ESET also discovered an updated version of InvisibleFerret, used since August 2024 and now presented as a single large script file – rather than being separated into individual modules – and with some code modifications to enhance support for macOS, such as collecting the username as well as the hostname of the system.
“We observed [DeceptiveDevelopment] go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware,” he wrote. “Any online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake recruiters.”
The researcher expects the activity to continue, and DeceptiveDevelopment to continue developing its tools and finding additional ways to target cryptocurrency users.
Recent Developments and Practical Applications
This scam highlights the growing sophistication of North Korean cyber operations, which are increasingly targeting freelance developers and IT professionals. The use of fake job offers and trojanized projects is a clear indication of the evolving tactics employed by these threat actors.
For U.S. readers, it is crucial to remain vigilant and educated about these scams. Developers and IT professionals should be wary of unsolicited job offers, especially those that require downloading and executing code from unknown sources. Always verify the legitimacy of job offers through multiple channels and be cautious of private repositories that require personal information to access.
Additionally, the use of conferencing software as a vector for malware distribution underscores the need for heightened security measures. Companies should ensure that their conferencing platforms are secure and that employees are trained to recognize and avoid phishing attempts.
Counterarguments and Criticisms
Some may argue that the risk of falling victim to such scams is minimal and that developers are generally tech-savvy enough to avoid them. However, the success of DeceptiveDevelopment and similar operations demonstrates that even experienced professionals can be caught off guard. The use of sophisticated social engineering tactics and the lure of financial gain make these scams particularly effective.
Furthermore, the implications of these scams extend beyond individual victims. The stolen cryptocurrency and sensitive information can be used to fund North Korea’s nuclear and weapons programs, posing a significant threat to global security.
Conclusion
The DeceptiveDevelopment scam serves as a stark reminder of the evolving threat landscape and the need for heightened vigilance. As cyber threats become more sophisticated, it is essential for developers, IT professionals, and organizations to stay informed and implement robust security measures. By understanding the tactics employed by North Korean hackers and taking proactive steps to protect against them, we can mitigate the risk and safeguard our digital infrastructure.
North Korean Hackers Target Freelance Developers with Fake Job Scams
What is the “DeceptiveDevelopment” scam?
DeceptiveDevelopment is a cybercriminal operation targeting freelance developers globally, orchestrated by North Korean hackers posing as job recruiters. This scam lures developers into running software jobs that compromise their systems with infostealer malware. Developers, from junior programmers to seasoned professionals, are asked to execute tasks on trojanized projects, leading to the deployment of malware like BeaverTail.
Which malware types are used in these scams?
The DeceptiveDevelopment operation employs two primary malware tools:
- BeaverTail: A downloader and infostealer malware that initiates the compromise by stealing sensitive facts from browsers and password managers.
- InvisibleFerret: Another infostealer and remote access trojan (RAT) that, alongside BeaverTail, enables extensive data theft and system control.
How do the hackers target and recruit victims?
Hackers create fake recruiter profiles on social media platforms such as LinkedIn, Upwork, Freelancer.com, and Crypto Jobs List. These profiles offer fake job opportunities or bug fixing with financial incentives. They often:
- Provide trojanized projects for supposed hiring challenges.
- Request access to private repositories on GitHub or similar platforms, under the guise of necessary job tasks.
What is the background of these North Korean cybercriminal operations?
These scams are part of a broader strategy by North Korean operatives to generate revenue. They have successfully stolen around $1.34 billion in cryptocurrency in a single year, which helps fund their nation’s sanction-bypassing efforts and nuclear programs.
How were the trojanized projects discovered and spread?
Cybersecurity firm ESET discovered these projects on GitHub with malicious code hidden in long comments, ensuring it wouldn’t appear on screen. The startups were commanding from a remote server, initiating the download of both BeaverTail and InvisibleFerret.
Are there new methods being employed in these scams?
As August 2024, an updated version of InvisibleFerret has emerged. It is now presented as a single, large script file rather than multiple modules, with adaptive changes to better support macOS. This evolution indicates a shift toward more advanced and capable malware tools.
What other compromise vectors are used in these scams?
Apart from hosting trojanized files for download, the fraudsters:
- Invite job candidates to fake online interviews.
- Provide links to cloned versions of legitimate conferencing software websites to distribute malware.
What precautions should freelance developers take?
To safeguard against these scams,developers should:
- Verify the legitimacy of job offers across multiple channels.
- Be cautious about downloading and executing code from unknown sources.
- Confirm the trustworthiness of private repositories and links provided by recruiters.
- Stay updated on cybersecurity practices and awareness of emerging threats.
Are these scams only a threat to freelance developers?
While primarily targeting freelance developers, the tactics could expand to IT professionals and tech-savvy individuals. Due to the success and sophistication of these scams, vigilance and enhanced security measures are necessary across various sectors.
Can companies do anything to protect their employees?
Organizations should:
- Educate employees on recognizing and avoiding phishing attempts.
- Ensure the security of their conferencing platforms.
- Implement robust cybersecurity practices and regular checks against potential vulnerabilities.
By understanding these threats and taking proactive measures, both individuals and organizations can better protect themselves against expanding cyber threats.
