North Korean Hackers Use LinkedIn to Lure Developers into Coding Challenges
A sophisticated campaign by a hacker group from North Korea has been targeting developers in the cryptocurrency sector through LinkedIn, posing as recruiters to lure victims with seemingly genuine job offers and coding challenges.
The group, also known as Slow Pisces or TraderTraitor/Jade Sleet, has been using this tactic to infect systems with malicious Python and JavaScript code, resulting in substantial cryptocurrency thefts. In 2023 alone, they were linked to over $1 billion in stolen funds.
Recent attacks have included a $1.5 billion hack at a Dubai exchange and a $308 million theft from a Japanese company. The attackers initially send PDF documents containing job descriptions, which are followed up with coding assignments hosted on GitHub.
Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware. Victims, believing they are completing programming tests, unintentionally allow malware like RN Loader and RN Stealer onto their systems.
The malware evades most detection tools by using YAML deserialization, avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.
How Does the Malware Work?
JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.
The malware stores code in hidden directories and communicates over HTTPS using custom tokens. However, forensic analysis shows that investigators were unable to recover the full JavaScript payload.
A Response from LinkedIn and GitHub
GitHub and LinkedIn responded by removing the malicious accounts and repositories involved. In a joint statement, the companies said: "GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service."
The companies continue to evolve and improve their processes and encourage customers and members to report any suspicious activity.
Caution Advised: Protecting Yourself from State-Backed Cyber Threats
Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.
Those concerned about security should verify they are using the best IDEs, which typically include integrated security features. Staying alert and working on a secure, controlled setup can significantly reduce the risk of falling prey to state-backed cyber threats.
About the Author
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.
He is also focused on B2B security products and can be contacted at this email: udinmwenefosa@gmail.com
Stay Safe Online
As technology continues to evolve, it's essential for developers to remain vigilant and take proactive steps to protect themselves from state-backed cyber threats.
By staying informed and taking necessary precautions, you can significantly reduce the risk of falling prey to these types of attacks.