Freelance programmers become targets of hackers

According to TechRadar , cybersecurity experts from ESET have discovered a new campaign called DeceptiveDevelopment from hacking groups believed to be from North Korea. These groups impersonate recruiters on social media to target freelance programmers, especially those working on cryptocurrency-related projects.

The primary goal of this campaign is to steal cryptocurrency. Hackers will copy or create fake profiles of employers and contact programmers through recruitment platforms like LinkedIn, Upwork, or Freelancer.com. They will then invite programmers to take a programming skills test as a condition for being hired.

These tests typically revolve around cryptocurrency projects, blockchain-integrated games, or cryptocurrency-based gambling platforms. The test files are stored on private repositories such as GitHub. When the victim downloads and runs the project, malware called BeaverTail is activated.

Hackers typically don't make extensive modifications to the original project's source code, instead adding malicious code to hard-to-detect locations, such as within the server's backend code or hidden in comments. When executed, BeaverTail attempts to extract data from the browser to steal login credentials and downloads a second piece of malware called InvisibleFerret. This malware acts as a backdoor, allowing the attacker to install AnyDesk—a remote management tool that enables further operations after the intrusion.

This attack campaign can affect users on Windows, macOS, and Linux operating systems. Experts have noted victims globally, ranging from novice programmers to seasoned professionals. The DeceptiveDevelopment campaign shares many similarities with Operation DreamJob, a previous hacker campaign targeting aerospace and defense personnel to steal confidential information.