{"id":34324,"date":"2024-11-01T02:49:44","date_gmt":"2024-10-31T15:49:44","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/rat-in-coding-task-on-github\/34324\/"},"modified":"2024-11-01T02:49:44","modified_gmt":"2024-10-31T15:49:44","slug":"rat-in-coding-task-on-github","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/rat-in-coding-task-on-github\/34324\/","title":{"rendered":"Malware in developer coding tests"},"content":{"rendered":"

Software developers tend to be advanced computer users at the very least, so you could assume they\u2019d be more likely to spot and thwart a cyberattack. However, experience shows that no one is fully immune<\/a> to social engineering \u2014 all it takes is the right approach. For IT professionals, such an approach might involve the offer of a well-paid job at a high-profile company. Chasing a dream job can make even seasoned developers lower their guard and act like kids downloading pirated games. And the real target (or rather \u2014victim) of the attack might be their current employer.<\/p>\n

Recently, a new scheme has emerged in which hackers infect developers\u2019 computers with a backdoored script disguised as a coding test. This isn\u2019t an isolated incident, but just the latest iteration of a well-established tactic. Hackers have been using fake job offers to target IT specialists for years \u2014 and in some cases with staggering success.<\/p>\n

You might think that the consequences should remain the particular individual\u2019s problem. However, in today\u2019s world, it\u2019s highly likely that the developer uses the same computer for both their main work and the coding test for the new role. As a result, not only personal but also corporate data may be at risk.<\/p>\n

Fake job posting, crypto game, and a $540 million heist<\/h2>\n

One of the most notorious cases of fake job ads used for malicious purposes was witnessed in 2022. Hackers managed to contact<\/a> (likely through LinkedIn) a senior engineer at Sky Mavis, the company behind the crypto game Axie Infinity, and offer him a high-paying position.<\/p>\n

Enticed by the offer, the employee diligently went through several stages of the interview set up by the hackers. Naturally, it all culminated in a \u201cjob offer\u201d, sent as a PDF file.<\/p>\n

The document was infected. When the Sky Mavis employee downloaded and opened it, spyware infiltrated the company\u2019s network. After scanning the company\u2019s infrastructure, the hackers managed to obtain the private keys of five validators on Axie Infinity\u2019s internal blockchain \u2014 Ronin. With these keys they gained complete control over the cryptocurrency assets stored in the company\u2019s wallets.<\/p>\n

This resulted in one of the largest crypto heists of the century<\/a>. The hackers managed to steal 173,600 ETH and 25,500,000 USDC, which was worth approximately $540 million at the time of the heist.<\/p>\n

More fake job postings, more malware<\/h2>\n

In 2023, several large-scale campaigns were uncovered in which fake job offers were used to infect developers, media employees, and even cybersecurity specialists (!) with spyware.<\/p>\n

One attack scenario<\/a> goes like this: someone posing as a recruiter from a major tech company contacts the target through LinkedIn. After some back-and-forth, the target receives an \u201cexciting job opportunity\u201d.<\/p>\n

However, to land the job, they must demonstrate their coding skills by completing a test. The test arrives in executables within ISO files downloaded from a provided link. Running these executables infects the victim\u2019s computer with the NickelLoader malware, which then installs one of two backdoors: either miniBlindingCan or LightlessCan.<\/p>\n

In another scenario<\/a>, attackers posing as recruiters initiate contact with the victim on LinkedIn, but then smoothly transition the conversation to WhatsApp. Eventually they send a Microsoft Word file with the job description. As you might guess, this file contains a malicious macro that installs the PlankWalk backdoor on the victim\u2019s computer.<\/p>\n

Yet another variation<\/a> of the attack targeting Linux users featured a malicious archive titled \u201cHSBC job offer.pdf.zip\u201d. Inside the archive was an executable file disguised as a PDF document. Interestingly, in this case, to mask the file\u2019s true extension, the attackers used an exotic symbol: the so-called one dot leader<\/a> (U+2024). This symbol looks like a regular period to the human eye but is read as a completely different character by the computer.<\/p>\n

Once opened, this executable displays a fake PDF job description while, in the background, launching the OdicLoader malware, which installs the SimplexTea backdoor on the victim\u2019s computer.<\/p>\n

Fake coding test with a Trojan on GitHub<\/h2>\n

A recently discovered variation<\/a> of the fake job attack starts similarly. Attackers contact an employee of the target company pretending to be recruiters seeking developers.<\/p>\n

When it comes to the interview, the victim is asked to complete a coding test. However, unlike the previous variations, instead of sending the file directly, the criminals direct the developer to a GitHub repository where it is stored. The file itself is a ZIP archive containing a seemingly innocuous Node.js project.<\/p>\n

However, one component of this project contains an unusually long string, specially formatted to be overlooked when scrolling quickly. This string holds the hidden danger: heavily obfuscated code that forms the first stage of the attack.<\/p>\n

When the victim runs the malicious project, this code downloads, unpacks, and executes the code for the next stage. This next stage is a Python file without an extension, with a dot at the beginning of the filename signaling to the OS that the file is hidden. This script launches the next step in the attack \u2014 another Python script containing the backdoor code.<\/p>\n

Thus, the victim\u2019s computer ends up with malware that can maintain continuous communication with the command-and-control server, execute file system commands to locate and steal sensitive information, download additional malware, steal clipboard data, log keystrokes, and send the collected data to the attackers.<\/p>\n

As with the other variations of this scheme, the hackers count on the victim using their work computer to complete the \u201cinterview\u201d and run the \u201ctest\u201d. This allows the hackers to access the infrastructure of the target company. Their subsequent actions can vary, as history shows: from trojanizing software developed by the victim\u2019s company to direct theft of funds from the organization\u2019s accounts, as seen in the Sky Mavis case mentioned at the beginning of this article.<\/p>\n

How to protect yourself<\/h2>\n

As we noted above, there\u2019s currently no bulletproof defense against social engineering. Virtually anyone can be vulnerable if the attacker finds the right approach. However, you can make the task significantly more challenging for attackers:<\/p>\n