Fake recruiter coding tests target devs with malicious Python packages

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: RL researchers discover fake recruiter coding tests targeting devs with malicious Python packages. Also: Adobe works to patch critical code execution flaws in multiple products.

This Week’s Top Story

Fake recruiter coding tests target devs with malicious Python packages

This week, threat researchers at ReversingLabs discovered new malicious software packages being used to target developers, and are believed to be connected to the VMConnect campaign , which has ties to the prolific Lazarus Group, a North Korean hacking team. The malicious packages are based in GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Interestingly, RL researchers also found one of the targeted developers via a malicious package the team analyzed. 

Based on the malicious packages discovered as part of this new campaign, RL Reverse Engineer Karlo Zanki shared that it’s “clear that malicious actors were targeting developers and looking to install malicious downloaders on developer systems capable of fetching second and third stage malware such as backdoors and info stealers.”

The VMConnect campaign, discovered by RL threat researchers in August 2023, consisted of malicious PyPI packages imitating popular open source Python tools. RL researchers attributed the packages to the Lazarus Group by comparing their code with samples discovered earlier on by Japan’s Community Emergency Response Team (CERT). 

Using a threat hunting YARA rule created by the Japan CERT for the earlier malicious campaign, RL’s Spectra Intelligence platform detected malware hidden in a compiled Python file. Further investigation led to the discovery of top-level open source containers that revealed a campaign to target Python developers with coding skills tests that they believe are required for job applications for positions at leading financial services firms, including Capital One and Rookery Capital. 

In this campaign, attackers trick victims into downloading open source packages containing coding skills tests, but also malware that triggers once the package is installed on the victim’s system. When executed, the malware makes an HTTP POST request to the attacker’s C2 server and executes Python commands. ReversingLabs review of README files included in the packages revealed instructions that tell the victim to complete the test within a short amount of time – creating a sense of urgency for the victim to take action.

RL researchers assert that this campaign is ongoing, despite the fact that the attacker’s original and duplicated repositories have been reported to GitHub and removed from the platform. Additionally, this campaign is a part of a growing trend among threat actors to leverage open source packages and platforms to target developers. 

“To address this growing risk, organizations need to be on the lookout for such downloads while also educating their developers and other technical staff to be wary of any effort to trick them into downloading and executing code from an unknown source on their system.” - Karlo Zanki

(ReversingLabs )

This Week’s Headlines

Adobe patches critical, code execution flaws in multiple products

Adobe released patches this past Tuesday for at least 28 documented security vulnerabilities in a wide range of products that affect both Windows and macOS users. The most urgent issue is impacting Acrobat and PDF Reader, which contain two memory corruption vulnerabilities that could be exploited to launch arbitrary code. The company’s ColdFusion product was also impacted with a critical vulnerability that exposes businesses to code execution attacks. (Security Week )

NoName ransomware gang deploying RansomHub malware in recent attacks

The NoName (aka CosmicBeetle) ransomware gang may now be working as an affiliate of RansomHub, a ransomware-as-a-service (RaaS) group, to deploy tools from the Spacecolon malware family via brute force methods in addition to exploiting several older vulnerabilities likely present in SMB environments. ScRansom, one of the tools used by NoName in this campaign, isn’t as sophisticated as other malware types used by ransomware gangs, but it supports partial encryption, and sports an ‘ERASE’ mode that makes file contents unrecoverable. (Bleeping Computer )

Microsoft says Windows update zero-day being exploited to undo security fixes

This past Tuesday, Microsoft raised an alarm for in-the-wild exploitation of a critical vulnerability in Windows Update, and warned the community that attackers are rolling back security fixes on certain versions of the Windows operating system. The flaw is tagged as CVE-2024-43491 and carries a CVSS severity score of 9.8/10. Microsoft shared that the flaw was reported to them anonymously, and the company hasn’t released any information regarding public exploitation of the vulnerability, or possible Indicators of Compromise (IoCs). The attack appears similar to a proof of concept attack dubbed “Downdate” that security researcher Alon Leviev of the firm SafeBreach demonstrated at the recent Black Hat Briefings conference. (Security Week )

SBOMs and the importance of inventory

The U.K.’s National Cyber Security Centre is addressing its stance on software bills of materials (SBOMs) in light of other countries releasing guidance and mandates pertaining to the tool, which include the White House’s 2021 Executive Order 14028, and the E.U.’s Cyber Resilience Act – both of which call out the need for transparency into software supply chains. This blog post from the agency “is neither an endorsement nor a rejection of SBOM technologies,” but it rather contextualizes what SBOMs are, how they can benefit software supply chain security, as well as their limitations. The Centre notes, “The mere presence of a SBOM does not guarantee that a supply chain is secure, and is not the answer to resolving all your supply chain risks.” (U.K. National Cyber Security Centre )

Chinese DragonRank hackers exploit global Windows servers in SEO fraud

DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers across the globe, including Thailand, India, Korea, Belgium, Netherlands and China. The campaign involves manipulating search engine crawlers and disrupting the SEO of affected sites by distributing scam websites to unsuspecting users. Attackers access the servers by exploiting vulnerabilities in web application services, such as phpMyAdmin, WordPress, and more. This grants DragonRank the ability to pull off remote code execution (RCE) or upload files on the targeted site, followed by deploying a webshell that gives them access to control the server. (HackRead )

Trust but verify

Organizations worldwide depend on diverse software components, such as commercial software, open source, containers, and more to power their operations, connect with customers, and drive innovation. However, this reliance on software comes with hidden dangers: the blind trust placed in these software products. In this Security Today article, learn why the saying “trust but verify” is paramount for organizations relying on software that is out of their control. Author Tom Pace argues that blind trust in software can lead to devastating consequences for enterprises – ranging from costly data breaches to operational dysfunctions. (Security Today )

Looking for more insights on software supply chain security? Head to the RL Blog . 

Resource Round-up

Webinar | Software Supply Chain Security 101

September 25 at 12 pm ET

RL technical experts Jasmine Noel and Joshua Knox will offer a crash course on the technical aspects of software supply chain compromises and demonstrate how to assess the risks posed by commercial software. Their technical insights and actionable recommendations will enable you to position your organization to handle this growing threat. [Register Here ] 

Interactive Demo | Spectra Assure

September 27 at 12 pm ET

Join to see how Spectra Assure, RL’s premier software supply chain security solution, has capabilities that are simplifying the detection of threats and exposures, enabling software producers and enterprise buyers to minimize the impact of supply chain attacks on their organizations. [Register Here ] 

Podcast | The Past, Present & Future of SBOMs

In this episode of the ConversingLabs Podcast, host Paul F. Roberts chats with Beau Woods of Stratigos Security and I Am The Cavalry about the history of the SBOM – from its beginnings, to its modern-day use, to efforts underway to adapt it for the future. Listen to it here or wherever you get your podcasts. [Listen Here ] 

Looking for more great conversations to watch? See RL’s on-demand webinar library .