North Korean hackers are posing as software development recruiters to target freelancers

News
By published

North Korea is stealing crypto from freelance developers

North Korean flag with a hooded hacker
(Image credit: Shutterstock)
  • North Korea is hiding malware in GitHub projects
  • The projects are then sent to developers as a coding test
  • BeaverTail malware is then used to steal credentials and crypto

Freelance software developers are the latest target of North Korean hackers looking to spread infostealing malware, experts have warned.

The latest campaign, identified by ESET as DeceptiveDevelopment, involves the hackers posing as recruiters on social media to target freelance developers working on cryptocurrency projects.

The main aim of the attacks is to steal cryptocurrency, likely in an effort to supplement North Korea’s income.

Article continues below

Crypto theft and cyber espionage

The attackers copy or create personas of recruiters, and will reach out to developers through job recruitment platforms such as LinkedIn, Upwork, and Freelancer.com, offering them a job opportunity if they complete a coding test.

The test project is usually either a hiring challenge, cryptocurrency project, a game with some form of blockchain functionality, or a gambling project with cryptocurrency or blockchain involvement. The test files are hosted in private repositories on GitHub or a similar platform, and when downloaded and the project executed, BeaverTail malware is deployed.

The hackers will often copy entire projects, making no changes other than adding their malware and re-writing the README file. The hackers will usually try and hide their malicious code somewhere in the project that wouldn’t attract suspicion or be easily spotted, such as within backend code as a single line behind a comment that pushes it off-screen.

The Beavertail malware will target browser databases to steal credentials, and will also download the second stage of the campaign, InvisibleFerret, which acts as a backdoor allowing the attacker to install the AnyDesk remote management software for additional post-compromise activity.

Windows, Mac, and Linux users are all susceptible to the attack, with victims being observed across the globe. The attackers did not discriminate in targeting everyone from junior developers all the way up to experienced professionals. The campaign shares similarities to Operation DreamJob, which targeted aerospace and defense workers to steal classified information.

You might also like

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.