Security researchers have uncovered a new set of malicious Python packages that are disguised as coding assignments and aimed at software developers. „The new examples have been linked to GitHub projects associated with previous, targeted attacks, in which developers are being lured in with fake job offers,“ said Karlo Zanki, a researcher at ReversingLabs. The activities are believed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023 and has ties to the North Korean Lazarus Group. The use of job interview ploys as an infection vector is widespread among North Korean threat actors, who either reach out to unsuspecting developers on websites like LinkedIn or get them to download rigged packages as part of a purported skills test. These packages, in turn, have been either published directly to public repositories such as npm and PyPI or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code in modified versions of legitimate PyPI libraries like pyperclip and pyrebase. „The malicious code is present in both the __init__.py file and the corresponding compiled Python file (PYC) within the __pycache__ directory of the respective modules,“ Zanki said. It’s implemented in the form of a Base64-encoded string that obfuscates a downloader function, which establishes a connection to a command-and-control (C2) server to execute commands received in response. In one coding challenge case identified by the software supply chain security firm, the threat actors sought to create a false sense of urgency by requiring applicants to build a Python project, shared in the form of a ZIP archive, within five minutes and find and fix a programming error in the next 15 minutes. This makes it „more likely that he or she will run the package without prior security or even source code review,“ Zanki said, adding „This ensures the malicious actors behind this campaign that the embedded malware will be executed on the developer’s system.“ Some of the said tests claimed to be a technical interview challenge for financial institutions such as Capital One and Rookery Capital Limited, highlighting how the threat actors are mimicking legitimate companies in the sector to carry out the operation. It’s currently not clear how widespread these campaigns are, although potential targets are being scoped out and contacted over LinkedIn, as also corroborated by Google-owned Mandiant recently. „Following an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge. This compromised the user’s macOS system, downloading a second-stage malware that persisted via Launch Agents and Launch Daemons,“ the company said. The development comes as cybersecurity firm Genians disclosed that the North Korean threat actor tracked as Konni is stepping up its attacks against Russia and South Korea using spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps to a campaign codenamed CLOUD#REVERSER (aka puNK-002). Some of these attacks also involve the distribution of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt-based version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, S2W said.