North Korea’s Lazarus Group has launched a complicated provide chain assault focusing on software program builders via a marketing campaign referred to as “Pretend Font.”
The risk actors are utilizing faux job interviews and malicious GitHub repositories to trick engineers into downloading code that accommodates hidden malware.
This marketing campaign, which started over 100 days in the past, has not too long ago intensified with 19 repositories recognized as a part of the operation.
The malware in the end deploys the InvisibleFerret Python backdoor designed to steal cryptocurrency wallets, browser credentials, and set up long-term entry to compromised machines.
Pretend Font (Supply – OpenSourceMalware)
The assault begins on LinkedIn the place faux recruiters from cryptocurrency and fintech firms contact builders. They pose as hiring managers impressed by the goal’s GitHub profile and request completion of a easy coding evaluation.
Builders are despatched hyperlinks to repositories that seem professional, containing normal internet mission constructions with React frontends, Node.js backends, correct documentation, and CI/CD configurations.
19 GitHub repositories (Supply – OpenSourceMalware)
This genuine look makes the malicious repositories tough to tell apart from real tasks at first look.
OpenSourceMalware analysts recognized and documented how the marketing campaign works. The assault exploits Microsoft Visible Studio Code’s process automation characteristic, which is often utilized by builders for operating checks and constructing tasks.
Hidden inside every malicious repository is a .vscode/duties.json file configured to execute mechanically when the folder is opened in VS Code.
An infection mechanism
The an infection mechanism depends on disguising JavaScript malware as internet font recordsdata with .woff2 extensions.
When a developer opens the repository, VS Code mechanically executes the malicious process, which runs the faux font file via Node.js.
This triggers a multi-stage loader that executes the malware whereas remaining largely invisible to the person.
The presentation settings within the process configuration conceal any output home windows, making the assault tough to detect.
What makes this marketing campaign notably harmful is the way it exploits the professional belief builders place in open-source repositories and growth instruments.
The repository construction seems fully regular, with font recordsdata completely becoming the anticipated mission structure for internet functions utilizing Font Superior icons.
Builders cloning these repositories for a job evaluation don’t have any visible indicators that they’re putting in malware.
The marketing campaign demonstrates how attackers proceed evolving their methods to bypass safety measures.
By chaining collectively social engineering, provide chain vulnerabilities, and tool-specific options, Lazarus Group efficiently targets a high-value viewers with entry to delicate techniques and cryptocurrency belongings.
Safety groups ought to instantly evaluation GitHub repository entry and VS Code configurations throughout their organizations to determine potential compromises from this marketing campaign.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
