- Slowly the fish are targeted at crypto developers with bad code disguised as stock analysis tools
- Malicious code hides in the sight using GitHub projects and Yaml -Deserialization tricks
- Victims installs unconsciously RN -Reader and RN -Steals Through Rigged Python Repositories
A North Korea hacker group known as the slow fish has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.
The group, also known as Tradertraitor or Jade Sleet, as recruiters to lure victims with seemingly real job offers and coding of challenges, only to infect their systems with malicious python and JavaScript code.
Thanks to this campaign, the group has been able to steal significant amounts of cryptocurrency. By 2023 alone, they were linked to over $ 1 billion in stolen funds. A $ 1.5 billion hack on a DUBAI exchange and a $ 308 million theft from a Japanese company is among the recent attacks.
Coders Take care!
After initially sent PDF documents containing job descriptions, the malicious actors follow up with coding tasks hosting GitHub.
Although these storage sites appear to be based on legitimate open source projects, they have been secretly changed to include hidden malware.
Victims who believe they end programming tests allow accidental malware such as RN Loader and RN Stealer on their systems.
These booby-captured projects mimic legitimate developer tools and applications. E.g. May Python stock may appear to analyze stock market trends using data from reputable sources, while secretly communicating with attackers-controlled domains.
Malware avoids most detection tools by using Yaml Deserialization and avoids commonly selected features such as Eval or Exec. Once triggered, the loader picks up and performs additional payload directly in memory, making it difficult to detect or remove.
Such a payload, RN Stealer, is specifically designed to exfilter credentials, cloud configuration files and stored SSH keys, especially from macOS systems.
JavaScript variants of malware work similarly using the embedded JavaScript -Templing engine to hide malicious code that is only activated for targeted victims based on factors such as IP addresses or browser headlines.
Forensic analysis shows that malware stores code in hidden folders and communicates over HTTPs using custom tokens. However, investigators were unable to restore the full JavaScript key.
GitHub and LinkedIn have responded by removing the malicious accounts and storage places involved.
“Github and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigative experts and membership reporting, to combat bad actors and enforce service conditions. We continue to develop and improve our processes and encourage our clients and members to report any suspected activity,”
There is a growing need for caution when contacted with remote job offers and coding tests. Developers are advised to use strong antivirus software and run unknown code in safe environments, especially when working in sensitive sectors such as cryptocurrency.
Those who are concerned about security must verify that they use the best ideas that typically include integrated security features. Staying attention and working on a secure, controlled setup can significantly reduce the risk of falling prey to state -supported cyber threats.
Via Unit42
