- North Korea is hiding malware in Github projects
- Projects are sent to developers as coding test
- BeAvertail malware is used to steal credentials and cryptography
Independent software developers are the last objective of North Korea computer pirates who seek to spread infteilated malware, experts warned.
The last campaign, identified by ESET as the development of Diseceptived, involves computer pirates who go through recruiters in social networks to go to independent developers working on cryptocurrency projects.
The main objective of the attacks is to steal the cryptocurrency, probably in an effort to complement the income of North Korea.
Cryptographic robbery and cyber espionage
The attackers copy or create recruiter people, and will communicate with developers through employment recruitment platforms such as LinkedIn, Upwork and Freelancer.com, offering them a job opportunity if they complete a coding test.
The test project is usually a hiring challenge, a cryptocurrency project, a game with some form of blockchain functionality or a game project with cryptocurrencies or blockchain participation. The test files are housed in private repositories in Github or on a similar platform, and when the project is downloaded and executed, malware Beaverail is implemented.
Computer pirates will often copy complete projects, make only changes to add their malware and re -write the Readme file. Computer pirates will generally try to hide their malicious code somewhere in the project that would not attract suspicions or will easily be seen, as within the Backend Code as a single line behind a comment that pushes it out of the screen.
The BeAvertail malware will go to the browser databases to steal credentials, and will also download the second stage of the campaign, invisibleferret, which acts as a rear door that allows the attacker to install the remote administration software of AnyDesk for additional activity for an additional activity after the commitment.
Windows, Mac and Linux users are susceptible to attack, and victims are observed worldwide. The attackers did not discriminate when attacking everyone, from Junior developers to experienced professionals. The campaign shares similarities with the Dreamjob operation, which addressed aerospace and defense workers to steal classified information.
