lazarusholic

Everyday is lazarus.dayβ

Fake recruiter coding tests target devs with malicious Python packages

2024-09-10, ReversingLabs
https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
#Lazarus #PyPI #VMConnect

Contents

ReversingLabs researchers have identified new, malicious software packages believe to be linked to a campaign, VMConnect, that our team first identified in August 2023 and which has ties to the North Korean hacking team Lazarus Group. The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms.
Here is a detailed account of our discovery of the latest, malicious campaign.
History
In August 2023, ReversingLabs published two research posts describing the VMConnect campaign and its connection to North Korea's Lazarus Group. The relation to the Lazarus Group was based on information gathered in research conducted by Japanese CERT. As the team wrote at the time: Malicious PyPI packages …

IoC

6a8b8bbd83ea4cfeaadaf397700f75681aaddbea