Dev targeted by sophisticated job scam: 'I let my guard down, and ran the freaking code'

Legit-looking website, camera-on interviews, jokes about backdoors ...

it worked
EXCLUSIVE It all started with a LinkedIn message, as so many employment scams do these days.

A recruiter claiming to work for a blockchain firm called Genusix Labs invited Boris Vujičić, a web developer based in Serbia, to apply for a full-time, remote developer job with the company.

Vujičić is no stranger to recruitment scams.

He told us he received messages like this daily, and his personal record is eight in one day.

Plus, he used to work for Step Finance before a breach and subsequent $40 million cryptocurrency heist shuttered the decentralized-finance biz earlier this year.

"Everybody I know who is in the crypto world and looking for a job is targeted using these hacks," Vujičić said in an interview with The Register .

He usually ignores these messages, or sometimes toys with the senders, to "waste their time and, as a challenge, to search for where their viruses are hidden."
But this one looked legit.

The company had a LinkedIn profile and a seemingly average website with headshots of the "Leadership Team" that matched up with the individuals' messaging and seeking to interview Vujičić.

The first interview with HR - an employee named Zam Villalon (listed and pictured on the company's website) was a camera-on Zoom call, and "didn't look like a cheap deepfake," Vujičić said.

"It felt natural, her face itself didn't seem fake, her English was amazing, nothing seemed off," he remembers.

Vujičić agreed to move on to the second round: a technical interview with two engineers, one of whom was listed and photographed on the company website, too.

Again, nothing felt off about the interview, and Vujičić said he enjoyed the conversation.

The three even joked about all the job scams targeting developers and crypto companies.

At the end of that interview, the engineers asked if they could send Vujičić a live-coding test, and he agreed.

"Before running I said I'd check for anything suspicious," he wrote in a series of X posts detailing his experience with the scammers.

"They smiled.

'Feel free to look for backdoors.'"
The scammers told him: "Examine the code, make sure it's not suspicious.

You can run it in any cloud environment," Vujičić told us.

"They reassured me - and they did a good job - to get me to let my guard down, and just run the freaking code."
He ran the freaking code.

And a macOS popup appeared: "patch[.]sh wants to run as a background process."
Vujičić ended the interview, turned off his Wi-Fi, and started hunting for the malicious script, which he found in a temporary camera-driver folder on his computer, named camdriver[.]sh.

"The script is very sophisticated and beautiful - I like the code," he said.

"Whoever wrote the code is a very smart guy."
The attack, he said, "was hidden inside a dependency of a dependency," and once he ran the fake coding test, a shell script silently executed in the background with no indication that anything was amiss.

"It checks for your CPU architecture, and then, based on that, downloads the appropriate virus," he said, adding that the code sets itself to automatically restart every time the computer boots.

Then it downloads a backdoor written in Go that uses a custom RC4-encrypted protocol and includes commands for shell execution, file theft, Chrome password extraction, Keychain exfiltration, and crypto-wallet targeting.

Vujičić immediately stopped all of the malicious scripts running on his machine, and manually removed the malware, file by file.

He has since changed all of his passwords, and told us the digital thieves didn't steal any of his crypto.

Vujičić says his initial feeling after realizing he'd been scammed was shame.

"I was like, Why?

Why was I so stupid?

Why did I do this?"
He initially told the "engineers" that he didn't feel comfortable running the GitHub repo, and says they offered to come up with a different way for him to take the coding test, possibly using an online editor.

"They weren't pushing me to run it," Vujičić said, and that non-pushiness is what made him feel comfortable enough to trust the fraudsters and run the code.

Vujičić reported the fake company GitHub repository to both npm and GitHub, the Genusix profiles to LinkedIn, the domain to web hosting provider HostGator, and the IP address to AbuseRadar.

He also forwarded all the logs and artifacts to the incident responders at zeroShadow who previously investigated the Step Finance breach, and Vujičić told us the blockchain intelligence firm believes North Korean government-linked attackers were behind both the earlier company compromise and recruitment scam targeting Vujičić.

He said both used the same code and the same tactics.

"It's very scary," he said.

"Scams are becoming more and more sophisticated.

How do you not fall for it?"
Vujičić can already see the progression.

"What if they do a regular interview, they don't push any kind of scam link that I need to click, we talk about money, they send me a contract, they say 'come work with us.'"
So Vujičić - or any developer - believes he's been hired on as a remote worker, then he's invited to join the company's Slack channels or Discord server.

"They can give me fake onboarding documents, give me fake tasks to work on, and push a virus in a day or two."
And then they steal his credentials, drain his crypto wallets, infect his registries, and compromise his CI/CD pipelines, as we've seen in recent developer-targeted attacks .

When it comes to scammers seeking to steal developers' secrets and compromise their environments, Vujičić worries "that's the next step that's gonna happen -  if it's not happening already." ®