North Korea’s Lazarus threat group has once again set its sights on software developers, using deceptive tactics on employment platforms to carry out a series of attacks. This time, the group has turned to LinkedIn job postings to attract freelance developers, enticing them to download malicious Git repositories containing malware designed to steal source code, cryptocurrency, and sensitive data.
The SecurityScorecard STRIKE team uncovered the ongoing attack, dubbed Operation 99, on Jan. 9. Attackers disguised as recruiters lure developers with offers of project tests or code reviews. Victims are then tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, unleashing a wave of data-stealing implants.
This campaign employs various payloads that target Windows, macOS, and Linux systems. The attackers utilize a sophisticated malware delivery system with modular components that can adapt to different targets. Downloaders like Main99 deploy payloads such as Payload 99/73, brow99/73, and MCLIP, which carry out tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and stealing browser credentials.
In addition to stealing source code, secrets, configuration files, and cryptocurrency-related assets like wallet keys and mnemonics, the malware serves the ultimate goal of financing the North Korean regime led by Kim Jong Un. By embedding the malware into developers’ workflows, the attackers seek to compromise not only individual victims but also the projects and systems they contribute to.
This recent attack builds on Lazarus’ history of targeting developers using various malware strains, such as Operation Dream Job in 2021 and the DEV#POPPER campaign aimed at software developers worldwide for data theft. The group’s use of advanced social engineering tactics to infiltrate global organizations for cyber espionage further demonstrates their evolving strategies.
While a Department of Justice operation in May disrupted North Korea’s widespread IT freelance operation, Lazarus remains undeterred. The group continues to evolve its tactics, as noted by Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. By leveraging AI-generated profiles to pose as recruiters and employing advanced obfuscation and encryption techniques, Lazarus has made its malicious activities more difficult to detect and analyze.
As these campaigns become increasingly sophisticated, job seekers must exercise caution and be vigilant against potential threats. Mitigation strategies should focus on enhancing social engineering awareness and adhering to basic cybersecurity practices. Employees should approach job offers with skepticism, especially if they seem too good to be true, and exercise extreme caution when interacting with recruiters, particularly on platforms like LinkedIn or email.
In conclusion, the latest wave of attacks orchestrated by North Korea’s Lazarus threat group highlights the ever-evolving threat landscape faced by software developers and the critical importance of maintaining cybersecurity vigilance in the face of sophisticated cyber adversaries.