ESET researchers have uncovered a sophisticated cybercrime campaign, dubbed DeceptiveDevelopment, targeting freelance software developers worldwide.
This operation, active since late 2023, uses fake job interview challenges to deploy malware aimed at stealing sensitive information, including cryptocurrency wallets and login credentials.
The campaign is attributed to North Korea-aligned actors, leveraging tactics similar to other known operations like Lazarus Group’s Operation DreamJob.
Trojanized Coding Challenges: A New Attack Vector
The attackers pose as recruiters on platforms such as LinkedIn, Upwork, and Freelancer.com, luring developers with fake job offers.
Victims are asked to complete coding tasks using files hosted on private repositories like GitHub. Unbeknownst to the targets, these files are embedded with malicious code.
Once executed, the malware primarily BeaverTail and InvisibleFerret compromises the victim’s system.
BeaverTail, the first-stage malware, acts as an infostealer and downloader.
It extracts browser-stored credentials and cryptocurrency wallet data while setting the stage for the second payload.
The second-stage malware, InvisibleFerret, is a modular Python-based tool with spyware and remote access capabilities.
It enables attackers to exfiltrate sensitive data and deploy additional tools like AnyDesk for persistent access.
A Global Threat Targeting Cryptocurrency Developers
The campaign primarily targets developers involved in cryptocurrency and decentralized finance (DeFi) projects across all major operating systems Windows, Linux, and macOS.
Hundreds of victims have been identified globally, ranging from junior freelancers to seasoned professionals.
Attackers use advanced obfuscation techniques to hide malicious code within seemingly legitimate projects, often appending it behind lengthy comments in backend files.
In some cases, victims are also tricked into downloading trojanized conferencing software from cloned websites mimicking legitimate platforms like MiroTalk.
This software serves as an alternative delivery mechanism for the malware.
ESET researchers attribute this campaign to North Korea with high confidence due to overlaps in tactics, techniques, and procedures (TTPs) observed in previous operations.
The attackers demonstrate moderate technical sophistication but occasionally leave telltale signs, such as unremoved development notes or poorly obfuscated code.
The malware’s functionality is tailored for financial theft. It targets browser extensions like MetaMask and Coinbase Wallet while collecting saved credentials from browsers and password managers. Advanced versions of InvisibleFerret even exfiltrate data via Telegram or FTP servers.
This campaign underscores the growing risks faced by developers in the cryptocurrency space.
To mitigate such threats, professionals should exercise caution when engaging with recruiters online, scrutinize project files for hidden code, and avoid executing unverified software.
.webp?w=1200&resize=1200,0&ssl=1&description=Researchers have uncovered a sophisticated cybercrime campaign, dubbed DeceptiveDevelopment, targeting freelance software developers.){kind=link}