northkorea_DD_Images_shutterstock

North Korea’s Lazarus APT Evolves Developer-Recruitment Attacks

Share:

“Operation 99” uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

North Korea’s Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

“Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants,” according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus’ goals to fund the regime of North Korean leader Kim Jong Un.

“By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to,” according to the report.

North Korea’s History of Targeting Developers

The campaign builds on previous tactics by the group to target developers with various malware, including 2021’s Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus’ long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:DoJ Busts Up Another Multinational DPRK IT Worker Scam

While a Department of Justice operation in May disrupted North Korea’s widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

“In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns,” says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, “enabling them to effectively deceive victims,” he adds.

“By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers,” Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
12:23 am, Feb 12, 2025
weather icon 4°C
L: 3° | H: 5°
overcast clouds
Humidity: 91 %
Pressure: 1019 mb
Wind: 5 mph NNW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 6 km
Sunrise: 7:20 am
Sunset: 5:09 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 5°°C 0 mm 0% 5 mph 89 % 1021 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
3° | 6°°C 0 mm 0% 9 mph 87 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 8 mph 81 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 8 mph 85 % 1024 mb 0 mm/h
Sun Feb 16 9:00 pm
weather icon
4° | 8°°C 1 mm 100% 6 mph 95 % 1019 mb 0 mm/h
Today 3:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 89 % 1019 mb 0 mm/h
Today 6:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 79 % 1018 mb 0 mm/h
Today 9:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 76 % 1019 mb 0 mm/h
Today 12:00 pm
weather icon
5° | 5°°C 0 mm 0% 3 mph 68 % 1019 mb 0 mm/h
Today 3:00 pm
weather icon
6° | 6°°C 0 mm 0% 3 mph 71 % 1019 mb 0 mm/h
Today 6:00 pm
weather icon
5° | 5°°C 0 mm 0% 5 mph 76 % 1020 mb 0 mm/h
Today 9:00 pm
weather icon
5° | 5°°C 0 mm 0% 5 mph 78 % 1021 mb 0 mm/h
Tomorrow 12:00 am
weather icon
3° | 3°°C 0 mm 0% 4 mph 87 % 1022 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€92,455.11
-1.93%
Ethereum(ETH)
€2,514.63
-2.42%
Tether(USDT)
€0.96
-0.03%
XRP(XRP)
€2.33
-0.76%
Solana(SOL)
€190.84
-1.51%
USDC(USDC)
€0.97
0.00%
Dogecoin(DOGE)
€0.244036
-1.34%
Shiba Inu(SHIB)
€0.000015
-0.97%
Pepe(PEPE)
€0.000010
-0.13%
Scroll to Top