Freelance software developers are being targeted by North Korean hackers who are using fake profiles on popular platforms to lure them into cloning malicious repositories.
The malware used in these attacks is designed to steal files and monitor user activities. The hackers are also using social engineering tactics to deceive developers. The objective of this hack campaign is to compromise technology creators in a supply chain attack. Here we look into how freelancers can avoid these scams in the first place and what to do if they suspect malware has already been installed.
How are the hackers luring contractors?
The hackers create fake profiles on popular platforms, such as GitHub and LinkedIn, and then contact freelance software developers with offers of work. The offers are often for projects that are similar to the developer’s existing work. The hackers then send the developer a link to a malicious repository that contains the project code. When the developer clones the repository, the malware is installed on their computer.
“The cloned code connects to the attackers’ command-and-control (C&C) servers, which are hosted by ‘Stark Industries LLC’, to fetch heavily obfuscated Python scripts designed to deploy payloads tailored for each victim, according to a Security Week report. The malware system used in these attacks includes the Main99 and Main5346 downloaders that drop malware such as Payload99/73, Brow99/73, and MCLIP to steal files and monitor user activities.
According to a Security Week report, “The cloned code connects to the attackers’ command-and-control (C&C) servers, which are hosted by ‘Stark Industries LLC’, to fetch heavily obfuscated Python scripts designed to deploy payloads tailored for each victim.”
The report also said that malware such as Payload99/73 can collect system data such as device information, usernames, UUIDs, can exfiltrate files, steal clipboard data, terminate browser processes, and execute arbitrary code.
How to avoid a hack when cloning repositories?
Even when using Git, that doesn’t mean you can let own your guard. Be on top of seecurity risks, especially when cloning repositories from unknown sources. Here’s how to protect yourself:
Prioritise trusted sources
Whenever possible, clone repositories from official sources such as well-known project websites, an organisation’s GitHub page, or package managers. These sources are generally more reliable and less likely to contain malicious code. However, you can’t be too careful.
If you must clone from a less-known source, research the repository owner and look for community feedback. Be wary of anything that seems suspicious.
Inspect before executing
Before running any code, take the time to understand its purpose. Look for anything suspicious, such as obfuscated code or commands that attempt to access sensitive information.
Git hooks are scripts that run automatically at certain points in the Git workflow. Malicious hooks could execute harmful commands. Examine the .git/hooks directory for anything unusual.
The .git/config file can contain aliases or include other configuration files. Inspect these too to make sure they don’t point to malicious scripts or commands.
Embrace safe cloning practices
According to our research, git clone –no-local is a command that could help prevent local hooks from being executed during the cloning process, providing an extra layer of safety.
Consider cloning the repository to a sandbox, such as a virtual machine or an isolated container environment, first. This way, any potential malware won’t directly affect your main system.
Stay updated
Keep your Git software updated to the latest version. Security patches often address vulnerabilities that could be exploited. You obviously will also want to ensure your operating system and security software are up-to-date to protect against known threats.
Use security tools
Static analysis tools can help you scan code for potential vulnerabilities and security risks. There are also malware scanners you can run regularly, especially after cloning repositories from unknown sources.
What to do if you suspect your code has been hacked
There are a number of things that freelance software developers can do to protect themselves from these attacks. Firstly, be wary of any offers of work that come from unknown sources. Secondly, always check the source of any code before downloading or cloning it. Thirdly, be aware of the signs of social engineering, such as unsolicited emails or phone calls from people claiming to be from a legitimate company.
If you suspect your code has been hacked, here’s a suggested breakdown of what to do. Many of these steps will seem obvious. But you’ll want to prove you have taken the steps above and the ones below if relevant when reporting the hack to authorities.
Isolate the system: Disconnect the affected system from the internet and any networks to prevent further damage or data theft.
Change passwords: Change all passwords associated with the compromised code, including your development accounts, Git repositories, and online services.
Backup evidence: Create secure backups of the compromised code and any related logs or files. This will be crucial for analysis and potential legal action.
Identify the breach: Conduct a thorough investigation to determine the extent of the hack. Look for unusual activity, unauthorised access, or modifications in your code, commit history, and server logs.
Assess the damage: Evaluate the potential impact of the hack. Identify any stolen data, modified code, or compromised systems, according to the ICO.
Remediate vulnerabilities: Patch any security holes or vulnerabilities in your code and systems that may have been exploited by the attacker.
Update security measures: Strengthen your overall security by choosing multi-factor authentication, updating security software, and reviewing access controls.
Notify client: If the hacked code involves client work, inform them of the incident promptly and transparently. Explain the situation, the potential impact, and the steps you’re taking to address it.
Report the incident to the authorities: Report the incident to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can also report it to the National Cyber Security Centre (NCSC). If personal data is compromised, report it to the Information Commissioner’s Office (ICO).
Ethical disclosure: If the vulnerability lies within a third-party software or platform, consider disclosing it responsibly to the vendor or developer. This allows them to patch the issue and protect other users.
Get legal advice: If the hack has legal implications, consult with a solicitor specialising in data breaches and cybersecurity.
Review your code: Carry out a code review to identify any remaining vulnerabilities and ensure the security of your codebase.
Freelance software developers must be on top of cybersecurity threats. Yes, it’s another layer of skill, but when you’re working solo, you need to understand the risks and how to take the steps to avoid a hack.
This article is for information purposes only and does not constitute legal or technical advice.
Sign up for our newsletter and get the latest freelancer news, views and recruitment trends each week!
