The notorious North Korea state-sponsored Lazarus group has once again made headlines, this time targeting software developers in an ongoing campaign dubbed ‘Operation 99’. SecurityScorecard researchers have uncovered this latest attack, which aims to steal sensitive data from developer environments, including source code, secrets, configuration files, and cryptocurrency wallet keys.
This campaign represents a shift in tactics for the Lazarus group, moving from broad phishing attempts to targeted attacks on developers within the tech supply chain. The malware used by the group has also seen upgrades, including enhanced obfuscation and adaptability capabilities, making it harder to detect.
The researchers have identified victims of this campaign across the globe, underscoring the extensive reach of the Lazarus group’s operations. The ultimate goal of these attacks is to generate revenue for the Democratic People’s Republic of Korea (DPRK) regime.
One of the key aspects of ‘Operation 99’ is its focus on freelance developers working in the cryptocurrency sector. The attackers pose as recruiters on platforms like LinkedIn, enticing targets with coding projects tied to fake recruitment schemes. Victims are directed to clone a malicious GitHub repository named “coin promoting Webapp”, which, when executed, connects to command-and-control (C2) servers hosted by Stark Industries Solutions Ltd.
The C2 servers use heavily obfuscated Python scripts to avoid detection, delivering various payloads for second-stage execution on the victim’s machine. The malware deployed in this campaign includes a multi-stage system with components capable of keylogging, clipboard monitoring, file exfiltration, and browser credential theft.
Developers are urged to adopt proactive security measures to protect themselves from such attacks. SecurityScorecard recommends deploying enhanced code repository verification, using advanced endpoint security solutions, verifying recruiters and job offers, and equipping developers with the knowledge to identify red flags in emails, repositories, and LinkedIn profiles.
The ‘Operation 99’ campaign serves as a stark reminder of the security vulnerabilities present in the developer ecosystem. By staying vigilant and implementing robust security measures, developers can safeguard their intellectual property and digital assets from malicious actors like the Lazarus group.