With the "DeceptiveDevelopment" campaign, cybercriminals are targeting software developers looking for jobs. Along with a test to prove their skills, victims download malware onto their computers. The criminals hope to use this to obtain login credentials and steal cryptocurrency.
ESET researchers have identified a new cyberthreat: In the "DeceptiveDevelopment" campaign, cybercriminals are luring freelance software developers from the cryptocurrency scene with fake job offers. The goal is to steal cryptocurrencies and login credentials. The attacks target Windows, Linux, and macOS users in all regions of the world and use platforms such as LinkedIn, Upwork, Moonlight, Freelancer.com, and others. Hackers with ties to North Korea are most likely behind the attacks. Although the attack patterns are similar to those of known actors, the actions have not been attributed to any specific group.
Fake job interviews as a gateway
The perpetrators behind DeceptiveDevelopment pose as recruiters on well-known job portals, social networks, and crypto or blockchain sites and publish fake job advertisements. They copy existing accounts or set up entirely new ones. They then use these accounts to specifically contact software developers. Particularly perfidious: The hackers not only create their own fake profiles, but also access the accounts of real people to lure job seekers into their trap.
After successfully establishing contact, the attackers invite their victims to take a coding test. This is a common way to determine the experience of programmers in a selection process. However, the required project files contain hidden malware. Once the unsuspecting candidates download and execute these files, their computers are compromised.
Advertising
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a month
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our
Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.
CleverReach
This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at:
https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time.
You may object to the storage if your interests outweigh our legitimate interest.
For more information, see the privacy policy of CleverReach at:
https://www.cleverreach.com/de/datenschutz/.
Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.
"The attackers use a clever tactic: They hide the malicious code as a single line in a seemingly harmless component of the project," explains ESET researcher Matěj Havránek, who analyzed the threat. "This way, it is pushed off the screen and remains largely hidden."
Attack in two acts: Infostealer and remote access
The attackers use two malware families: BeaverTail (infostealer, downloader) and InvisibleFerret (spyware, remote access Trojan). A typical attack proceeds in two phases: After compromise, BeaverTail steals login credentials from web browsers and downloads the second malware, InvisibleFerret. The hackers use this to steal additional data and install legitimate remote access software such as AnyDesk for further manipulation. The hackers' primary target is crypto wallets, but other information they find on their victims' devices can also be targeted.
Global threat without geographical boundaries
The attackers operate globally and do not discriminate between geographical locations. They can reach numerous developers using fake and compromised profiles on job portals. Cryptocurrency-focused platforms and blockchain projects are also in their sights.
"Deceptive Development is part of a larger North Korean strategy to make money through cybercrime," Havránek concludes. "The attacks demonstrate a trend: cryptocurrencies are now a more popular target for hackers than traditional currencies."
More at ESET.com
About ESET
ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.
Matching articles on the topic
