- North Korea hides Malware in GitHub projects
- The projects are then sent to developers as a coding test
- Beavertail Malware is then used to steal credentials and crypto
Freelance Software Developers are the latest target for the North Korean hackers who want to spread infostealing malware, experts have warned.
The latest campaign identified by ESET as misleading development involves the hackers that make up as recruiters on social media to target freelance developers working on cryptocurrency projects.
The main purpose of the attacks is to steal cryptocurrency, probably in an attempt to supplement North Korea’s income.
Crypto theft and cyber espionage
The striker copies or creates people of recruiters and will reach developers through job recruitment platforms such as LinkedIn, Upwork and Freelancer.com who offer them a job opportunity if they carry out a coding test.
The test project is usually either an employment challenge, cryptocurrency project, a game with some form of blockchain functionality or a game project with cryptocurrency or blockchain -involvement. The test files host private storage sites on GitHub or a similar platform and when they are downloaded and the project is carried out, Beavertail Malware is implemented.
The hackers often copy entire projects, which makes no changes other than adding their malware and rewriting the Readme file. The hackers will usually try to hide their malicious code somewhere in the project that would not attract suspicion or easily be stained, such as within the backend code as a single line behind a comment pushing the off-screen.
Beavertail-Malware will target browser databases to steal credentials and will also download the second phase of the campaign, the Invisible Ferret, which acts as a back door that allows the striker to install the Anydesk Remote Management software for further activity after compromise.
Windows, Mac and Linux users are all susceptible to the attack where victims are observed across the globe. The attackers did not discriminate against targeting everyone from junior developers right up to experienced professionals. The campaign shares similarities to Operation Dreamjob that targeted aviation and defense workers to steal classified information.
