North Korean hackers hide malware in GitHub projects, which are then sent to developers under the guise of a test. Once downloaded and launched, the victim’s computer is at risk of infection with the BeaverTail malware, which is the first stage. Freelancers from the US, Canada and some European countries were hit the hardest during 2024 by the malicious activity, which was dubbed DeceptiveDevelopment.
This is according to a study by ESET. Hackers are posing as recruiters on social media to target freelance developers, especially those working on cryptocurrency projects. The main goal of the attacks is to steal cryptocurrency, likely to increase North Korea’s profits.
Attackers copy or create images of recruiters and contact developers through job search platforms such as LinkedIn, Upwork and Freelancer.com, We Work Remotely, Moonlight and Crypto Jobs List, offering them employment opportunities if they pass a coding test.
The test files are hosted in private repositories on GitHub or a similar platform, and when they are downloaded, the BeaverTail malware is deployed.
Hackers often copy entire projects without making any changes other than adding their own malware and rewriting the README file. Hackers typically try to hide the malicious code somewhere in the project that it is not suspicious or easily noticeable, such as in the internal code as a single line behind a comment that pushes it off the screen.
BeaverTail attacks browser databases to steal credentials, and also downloads the second stage of the campaign, InvisibleFerret, which acts as a backdoor, allowing the attacker to install AnyDesk remote control software for additional activity after compromise.
Windows, Mac, and Linux users around the world are being attacked, with everyone from junior to experienced developers being targeted.
“We only observed conversations between attackers and victims in English, but we cannot say with certainty that they would not use translation tools to communicate with victims in other languages,” the researchers note.
Another infection method observed by researchers was for a fake recruiter to invite a victim for an interview using an online conferencing platform and provide a link to a website where the necessary conferencing software could be downloaded. This website is usually a clone of an existing conferencing platform, and the downloaded software contains the first stage of the malware.
Source: North Korean hackers targeted freelance developers, including Ukrainian ones, under the
