North Korean Hackers Exploit Fake Job Interviews to Deploy Malware via Malicious Fonts
In a sophisticated cyber-espionage operation, North Korea’s Lazarus Group has initiated a campaign known as Fake Font, targeting software developers through deceptive job interviews and malicious GitHub repositories. This campaign, active for over 100 days, has recently escalated, with 19 compromised repositories identified. The primary objective is to deploy the InvisibleFerret Python backdoor, enabling the theft of cryptocurrency wallets, browser credentials, and establishing persistent access to infected systems.
Attack Methodology
The operation commences on LinkedIn, where individuals posing as recruiters from cryptocurrency and fintech sectors approach developers. These impostors express interest in the target’s GitHub projects and propose a coding assessment as part of a fabricated hiring process. Victims receive links to repositories that, at first glance, appear legitimate, featuring standard web project structures with React frontends, Node.js backends, comprehensive documentation, and CI/CD configurations.
The authenticity of these repositories makes it challenging to distinguish them from genuine projects. Analysts from OpenSourceMalware have detailed the campaign’s mechanics, highlighting the exploitation of Visual Studio Code’s task automation feature. Each malicious repository contains a `.vscode/tasks.json` file configured to execute automatically upon opening the folder in VS Code.
Infection Mechanism
The infection strategy involves disguising JavaScript malware as web font files with `.woff2` extensions. When a developer opens the repository, VS Code automatically runs the malicious task, executing the fake font file via Node.js. This initiates a multi-stage loader that deploys the malware while remaining largely undetectable. The task configuration conceals any output windows, further obscuring the attack.
This campaign is particularly insidious due to its exploitation of the trust developers place in open-source repositories and development tools. The repository structures appear entirely normal, with font files seamlessly integrated into the expected project layout for web applications utilizing Font Awesome icons. Developers cloning these repositories for a job assessment encounter no visual indicators of the malware’s presence.
Implications and Recommendations
The Fake Font campaign underscores the evolving tactics of cyber attackers in circumventing security measures. By combining social engineering, supply chain vulnerabilities, and tool-specific features, the Lazarus Group effectively targets individuals with access to sensitive systems and cryptocurrency assets.
Security teams are advised to promptly review GitHub repository access and Visual Studio Code configurations within their organizations to detect potential compromises stemming from this campaign. Implementing stringent code review processes, verifying the authenticity of external repositories, and educating developers about such sophisticated social engineering tactics are crucial steps in mitigating the risk posed by these attacks.
