- North Korea hides malicious software in GitHub’s projects
- Projects are then sent to developers as coding test
- Beauvertail malware is then used to steal identification and crypto information
Independent software developers are the last target of North Korean pirates who seek to distribute infostative malware, experts warned.
The latest campaign, identified by ESET as a deceptive development, implies that the pirates pretended to be recruiters on social networks to target independent developers working on cryptocurrency projects.
The main objective of attacks is to steal the cryptocurrency, probably in order to complete the income from North Korea.
Cryptographic and cyber-espionage flight
The attackers copy or create recruitment characters and will contact the developers via job recruitment platforms such as Linkedin, Upwork and Freelancer.com, offering them a job opportunity if they carry out a coding test.
The test project is generally either a job challenge, a cryptocurrency project, a game with a form of blockchain functionality or a game project with cryptocurrency or the blockchain involvement. The test files are hosted in private standards on GitHub or on a similar platform, and when they are downloaded and the project executed, Beavetail Malveilleur is deployed.
Pirates will often copy entire projects, making other modifications than adding their malware and rewriting the Readme file. Pirates will generally try to hide their malicious code somewhere in the project which will not attract suspicion or will not be easily spotted, as in the Backend code in a single line behind a comment that pushes it off screen.
Bea reward malware will target browser databases to steal identification information and also download the second stage of the campaign, invisibleferret, which acts as a stolen door allowing the attacker to install the Anydesk remote management software For additional post-compromise activity.
Windows, Mac and Linux users are all sensitive to the attack, the victims being observed around the world. The attackers did not discriminate to target everyone from junior developers to experienced professionals. The campaign shares similarities with Operation Dreamjob, which targeted aerospace and defense workers to steal classified information.
