Monday, March 11, 2024

Hacking Software Developers

I recently heard about an interesting hack that was targeting software developers, especially those on Linux. It basically tricks developers into installing malware on their computer by way of a fake job interview and downloading code from a public code repository.

During an initial call, the fake company asks you to complete a software development exercise by downloading a project from GitHub. The project, which contains a ZIP file, has a seemingly benign non-executable file named something like “readme․pdf” except that the dot, in the filename, isn’t a simple dot/period but rather a symbol that looks like a period such as U+2024. In other words, the OS doesn’t see a file extension (PDF in this example).

When the developer double clicks on the file, it executes. Typically, on Linux, a user must manually chmod a downloaded file to set the executable flag (i.e. chmod +x readme․pdf). However, since this filed was embedded in a ZIP file, the executable meta data can be preserved. Also, a password is sometimes added to the ZIP file so even smart virus protection software can’t scan the ZIP file. 

This is a Homograph Attack using Unicode Deception. Two things to be suspicious of this attack is the zipping of small-sized files and the password on a ZIP.

Here are the details on the hack