North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware
Summary:
Cybercriminals have been observed approaching their targets under the guise of company recruiters in the past, enticing them with fake offers of employment. Cybercriminals exploit the vulnerability of an individual distracted by a potential job offer. ESET researchers have witnessed a series of malicious North Korea-aligned operations where the attackers pose as headhunters to deliver software projects to their targets that harbor infostealing malware. They named this activity cluster, DeceptiveDevelopment. As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized. DeceptiveDevelopment was first observed in early 2024 when researchers uncovered trojanized projects hosted on GitHub with malicious code hidden at the end of long comments, effectively moving the code off-screen.
To compromise its victims’ computers, DeceptiveDevelopment provides its targets with trojanized codebases that deploy backdoors as part of a faux job interview process. These ongoing attacks deliver BeaverTail and InvisibleFerret malware. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They primarily steal cryptocurrency for financial gain, with a possible secondary objective of cyber espionage. The attackers don’t distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information. Similar to the Lazarus Group’s Operation DreamJob, these operators use fake recruiter profiles on social media to approach their targets. However, Operation DreamJob targeted defense and aerospace engineers, this campaign focuses on potential victims in the cryptocurrency developer space. The most commonly observed compromise vector consists of the fake recruiter providing the victim with a trojanized project under the guise of a hiring challenge or helping the “recruiter” fix a bug for a financial reward. AnyDesk acts as the only persistence mechanism that they found in this compromise chain.
Security Officer Comments:
DeceptiveDevelopment has been confirmed as North Korea-aligned activity, but ESET was unable to attribute the attacks to any known threat actor. This is likely due to the shared C2 infrastructure and techniques that DPRK threat actors usually employ. There were also observed connections between GitHub accounts controlled by the attackers and accounts containing fake CVs used by North Korean IT workers, confirming what was observed by Unit 42 researchers. Unfortunately, all the evidence of these attacks could not be acquired because the GitHub pages were taken down. The ability to deploy the malware on all major operating systems underscores the versatility of these operations. The DeceptiveDevelopment activity cluster is the most recently reported North Korea-aligned adversary financial theft scheme, adding to the large collection of money-making schemes employed by DPRK threat actors. Amid an increase in remote work, DPRK actors have shifted their focus toward stealing cryptocurrency by targeting developers who may keep their cryptocurrency in a hot wallet. The advancement in the sophistication of attacks witnessed by ESET during the campaign over almost a year highlights that these threat actors are dedicated to innovating their attack chain based on previous results. Freelance software developers should be extremely cautious of unsolicited job offers, especially those related to cryptocurrency projects Developers should independently verify the legitimacy of any potential employer and avoid clicking on links or downloading files from unverified sources. Examining code repositories for suspicious or obfuscated code is crucial, and private repositories offered as part of the "interview" process should be treated with extreme suspicion. Developers should also be wary of requests to install specific video conferencing software for interviews, as this can be a vector for malware delivery.
Suggested Corrections:
IOCs and MITRE ATT&CK TTPs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html
https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/
Cybercriminals have been observed approaching their targets under the guise of company recruiters in the past, enticing them with fake offers of employment. Cybercriminals exploit the vulnerability of an individual distracted by a potential job offer. ESET researchers have witnessed a series of malicious North Korea-aligned operations where the attackers pose as headhunters to deliver software projects to their targets that harbor infostealing malware. They named this activity cluster, DeceptiveDevelopment. As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized. DeceptiveDevelopment was first observed in early 2024 when researchers uncovered trojanized projects hosted on GitHub with malicious code hidden at the end of long comments, effectively moving the code off-screen.
To compromise its victims’ computers, DeceptiveDevelopment provides its targets with trojanized codebases that deploy backdoors as part of a faux job interview process. These ongoing attacks deliver BeaverTail and InvisibleFerret malware. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They primarily steal cryptocurrency for financial gain, with a possible secondary objective of cyber espionage. The attackers don’t distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information. Similar to the Lazarus Group’s Operation DreamJob, these operators use fake recruiter profiles on social media to approach their targets. However, Operation DreamJob targeted defense and aerospace engineers, this campaign focuses on potential victims in the cryptocurrency developer space. The most commonly observed compromise vector consists of the fake recruiter providing the victim with a trojanized project under the guise of a hiring challenge or helping the “recruiter” fix a bug for a financial reward. AnyDesk acts as the only persistence mechanism that they found in this compromise chain.
Security Officer Comments:
DeceptiveDevelopment has been confirmed as North Korea-aligned activity, but ESET was unable to attribute the attacks to any known threat actor. This is likely due to the shared C2 infrastructure and techniques that DPRK threat actors usually employ. There were also observed connections between GitHub accounts controlled by the attackers and accounts containing fake CVs used by North Korean IT workers, confirming what was observed by Unit 42 researchers. Unfortunately, all the evidence of these attacks could not be acquired because the GitHub pages were taken down. The ability to deploy the malware on all major operating systems underscores the versatility of these operations. The DeceptiveDevelopment activity cluster is the most recently reported North Korea-aligned adversary financial theft scheme, adding to the large collection of money-making schemes employed by DPRK threat actors. Amid an increase in remote work, DPRK actors have shifted their focus toward stealing cryptocurrency by targeting developers who may keep their cryptocurrency in a hot wallet. The advancement in the sophistication of attacks witnessed by ESET during the campaign over almost a year highlights that these threat actors are dedicated to innovating their attack chain based on previous results. Freelance software developers should be extremely cautious of unsolicited job offers, especially those related to cryptocurrency projects Developers should independently verify the legitimacy of any potential employer and avoid clicking on links or downloading files from unverified sources. Examining code repositories for suspicious or obfuscated code is crucial, and private repositories offered as part of the "interview" process should be treated with extreme suspicion. Developers should also be wary of requests to install specific video conferencing software for interviews, as this can be a vector for malware delivery.
Suggested Corrections:
IOCs and MITRE ATT&CK TTPs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html
https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/