North Korean Hackers Target Crypto Developers With Malicious Recruitment Tests

North Korean hackers, known for their involvement in the $1.4 billion Bybit exploit, have been targeting crypto developers with malicious recruitment tests. These hackers, part of a group referred to as Slow Pisces, are using fake job offers to deliver malware to unsuspecting developers. The scam involves approaching developers on professional networking sites and freelance marketplaces, offering them well-paid contracts or coding challenges. Once the developer engages with the malicious document, stealer malware is installed on their system, compromising their credentials and access codes.

The hackers' ultimate goal is to gain access to the Web3 companies that employ their targeted developers. By exploiting vulnerabilities within these companies, the hackers can carry out significant exploits. Cybersecurity professionals warn that these malicious actors are particularly interested in stealing developer credentials, cloud configurations, SSH keys, and wallet access. They also attempt to access API keys or production infrastructure, making it crucial for developers to be vigilant.

Hacken's service project manager, Luis Lubeck, emphasized the importance of verifying job offers independently and avoiding the installation of unverified packages. He also recommended using virtual machines and sandboxes for testing and employing good endpoint protection. Additionally, developers should be cautious of 'too-good-to-be-true' gigs, especially unsolicited ones, and avoid storing secrets in plain text format.

The hackers' tactics include creating credible-looking employee profiles on professional networking websites and matching them with resumes that reflect their fake positions. This effort is aimed at gaining the trust of developers and ultimately accessing their companies' systems. The malware embedded within these repositories utilizes techniques such as YAML deserialization and EJS escapeFunction to evade detection, making it difficult for developers to identify the threat.

Cybersecurity professionals advise developers to be wary of unsolicited gigs and to verify recruiter identities through official channels. They also recommend reaching out to official channels to verify recruiter identities and avoiding storing secrets in plain text format. By following these best practices, developers can protect themselves from falling victim to such attacks and ensure the security of their companies' systems.

This type of attack is highly targeted. The cyber attackers method consists of multiple stages. The attackers begin with a safe PDF that contains the specified job description. The developer receives the questionnaire after positive response which guides them towards the download of the compromised GitHub project. The attackers, known for their patience, have maintained this technique, which seems to generate results. The malware developers use precise targeting measures to deliver their attacks since they only transmit malware to test-validated recipients using IP address and geolocation and time-related factors. The precise targeting of this group indicates organization within their operations, and attacks keep distinct aims instead of attacking across various targets.

Previous media coverage of the group’s operations has not stopped them from continuing their established approach, which showcases their persistent success. The North Korean hackers persistently employ the same methods because they effectively take advantage of weaknesses among cryptocurrency developers. The group employs this tactical approach for a second time after deploying it back in July 2023. Bitcoin-related businesses as well as cybersecurity companies and their staff, fell victim to npm package attacks in that same cycle.

Lastly, crypto developers should exercise caution regarding unknown career proposals and programming tasks because this emerging threat highlights such risks. All employment opportunities should be verified by experts before accepting any such offers, and all shared links and documents need to originate from established, trustworthy sources. The cyber threat against cryptocurrency systems persists due to groups such as Slow Pisces, which requires greater industry awareness and defensive measures for security purposes.