1. Forum
  2. Fidonet
  3. POLITICS

  • North Korean hackers are

    From Mike Powell@1:2320/105 to All on Wed Apr 23 09:01:00 2025
    North Korean hackers are using LinkedIn to entice developers to coding challenges - here's what you need to know

    Date:
    Tue, 22 Apr 2025 21:26:00 +0000

    Description:
    North Korean hackers pose as recruiters, turning coding tests into costly crypto theft schemes.

    FULL STORY ======================================================================
    - Slow Pisces targets crypto developers with bad code disguised as stock analysis tools
    - Malicious code hides in plain sight, using GitHub projects and YAML deserialization tricks
    - Victims unknowingly install RN Loader and RN Stealer through rigged Python repositories

    A hacker group from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.

    The group, also known as TraderTraitor or Jade Sleet, poses as recruiters to lure victims with seemingly genuine job offers and coding challenges, only to infect their systems with malicious Python and JavaScript code.

    Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrency. In 2023 alone, they were linked to over $1 billion in
    stolen funds. A $1.5 billion hack at a Dubai exchange and a $308 million
    theft from a Japanese company are among the recent attacks.

    Coders beware!

    After initially sending PDF documents containing job descriptions, the malicious actors follow up with coding assignments hosted on GitHub.

    Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware.

    Victims, believing they are completing programming tests, unintentionally
    allow malware like RN Loader and RN Stealer onto their systems.

    These booby-trapped projects mimic legitimate developer tools and
    applications. For instance, Python repositories might seem to analyze stock market trends using data from reputable sources, while secretly communicating with attacker-controlled domains.

    The malware evades most detection tools by using YAML deserialization,
    avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.

    One such payload, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files, and stored SSH keys, particularly
    from macOS systems.

    JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.

    Forensic analysis shows that the malware stores code in hidden directories
    and communicates over HTTPS using custom tokens. However, investigators were unable to recover the full JavaScript payload.

    GitHub and LinkedIn have responded by removing the malicious accounts and repositories involved.

    GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated
    technology, combined with teams of investigation experts and member
    reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity, the companies said in a joint statement.

    There is a growing need for caution when approached with remote job offers
    and coding tests. Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.

    Those concerned about security should verify they are using the best IDE s, which typically include integrated security features. Staying alert, and working on a secure, controlled setup, can significantly reduce the risk of falling prey to state-backed cyber threats.

    Via Unit42

    ======================================================================
    Link to news story: https://www.techradar.com/pro/north-korean-hackers-are-using-linkedin-to-entic e-developers-to-coding-challenges-heres-what-you-need-to-know

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
  • From Mike Powell@1:2320/105 to All on Sat Apr 26 10:46:00 2025
    North Korean hackers are using advanced AI tools to help them get hired at Western firms

    Date:
    Fri, 25 Apr 2025 18:00:00 +0000

    Description:
    Research revealed the DPRK is using AI in its malicious campaign.

    FULL STORY ======================================================================
    - North Korean hackers are using GenAI to hold jobs in western firms
    - New research from Okta reveals AI written CVs and messages
    - This is an escalation from an existing fake interview campaign

    New research from Okta has revealed that hackers from the Democratic Peoples Republic of Korea (DPRK), are using generative AI in its malicious interview campaign - a series of tactics that involve gaining employment in remote technical roles in western firms, usually in industries with sensitive
    security data like defense, aerospace, or engineering.

    This isnt the first time North Korean fake job hackers have gone the extra
    mile with their campaigns, but the new research has found that GenAI is
    playing an integral role in the employment schemes.

    The AI models are used to create compelling personas at numerous stages of
    the job application and interview process and then, once hired, GenAI is
    again used to assist in maintaining multiple roles, all earning revenue for
    the state.

    Malicious interview

    AI was used by these hackers in a number of ways, including generating CVs
    and cover letters, conducting mock interviews via chat and webcam,
    translating, translating, and summarising messages, as well as managing communications for multiple jobs from different accounts and services.

    To assist, the hackers have a sophisticated network of facilitators that provide in-country support, technical infrastructure, and legitimate business cover - helping the North Koreans with domestic addresses, legitimate documents, and support during the recruitment process.

    The campaign is growing ever more sophisticated, especially given that
    hackers are now using both sides of the job seeking process, targeting job seekers with fake interviews , in which they deliver malware and
    infostealers.

    These elaborate schemes often start on legitimate platforms like LinkedIn or Upwork - with the attackers reaching out to victims to discuss potential opportunities. Anyone on the job hunt or in the hiring process should be
    extra vigilant about who they are speaking to, and should be careful not to download any unfamiliar software.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/north-korean-hackers-are-using-advanced -ai-tools-to-help-them-get-hired-at-western-firms

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)