Since the beginning of 2024, ESET researchers have been following Deceptivedevelow, a series of malicious campaigns linked to operators aligned in North Korea. Disguating themselves as software development recruiters, these threat stakeholders attract victims of false job offers and deliver software projects integrated into the infostability of malware.
“As part of a false employment interview process, the deceptive development operators ask their objectives to pass a coding test, such as adding an existing project, with the necessary files to The task generally hosted on private standards on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: once they have downloaded and executed the project, the victim’s computer is compromised, ” explain ESET researcher Matěj Havránekwho discovered and analyzed the deceptive development.
Attribution
While the affiliation of DecepveDvegment remains unconfirmed, its tactics closely reflect those of the known cyber operations aligned by North Korea. The campaign mainly targets independent software developers thanks to the spectrum on job research and freelance platforms, to steal cryptocurrency portfolios and identification information for browsers and password managers .
The deceptive development uses tactics, techniques and procedures (TTP) similar to other operations linked to North Korea. Its operators specifically target developers through Windows, Linux and MacOS, aimed at flying the cryptocurrency for a financial gain, with potential secondary objectives linked to cyberespionage.
To infiltrate their targets, they use false recruitment profiles on social networks, posing as legitimate employers. Their attacks are not geographically limited; Instead, they threw a large net to maximize their chances of compromising victims and extracting sensitive funds and information.
How does deceptive development work
The Deceptéd development mainly uses two families of malware as part of its activities, delivered in two stages. In the first step, Beavertail (Infosteller, Downloader) acts as a simple connection thief, extracts browser databases containing recorded connections and as a downloader for the second step, Invisibleferret (Infosteller, Rat), which includes software spies and components of Backdoor, and IS is also able to download the legitimate management and remote monitoring software Anydesk for post-compromise activities.
In order to pass as recruiters, attackers copy the profiles of existing people or even build new characters. They then directly tackle their potential victims on job research and freelance platforms, or publish false job lists. Although some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers.
Some of the platforms where these interactions occur are those generic job research, while others focus mainly on cryptocurrency and blockchain projects and are therefore more in line with the objectives of the attackers. The platforms include Linkedin, Upwork, Freelancer.com, we work remotely, Moonlight and Crypto Jobs.
The victims receive the project files either directly via a transfer of files on the site, or via a link to a repository like Github, Gitlab or Bitbucket. They are asked to download the files, add features or correct the bugs and run for the recruiter. In addition, they are invited to build and execute the project in order to test it, this is where the initial compromise occurs.
The attackers often use an intelligent tip to hide their malicious code: they place it in a component who is also benign of the project, generally in the Backend code unrelated to the task given to the developer, where they added it as one line behind A long comment. In this way, it is moved off screen and remains mainly hidden.
“The cluster of a deceptive-de-verse is an addition to an already wide collection of silver diets used by actors aligned in North Korea and complies with a continuous trend to spend traditional money from cryptocurrencies”, concludes Havránek.
