So they sent .exe files to the victim, under the pretext that the victim was supposed to duplicate their functionality in C++? Receiving an .exe file from someone should be a dead giveaway that this is an attack, or at least, that the person sending it to you is incredibly technically incompetent. But then again, I lived through the Windows 95 era. I suppose some lessons have to be re-learned with every new generation.
You only need to succeed once against a company full of people if your job offer is enticing enough. We don't know how many people said "never mind" when asked to do weird tests.
The stupid thing is that that it's remarkably easy to sandbox and application these days. Sandboxie is free, though not guaranteed to work (but it may very well have done, or at least would have made the strange behaviour obvious) and Windows Pro has had a right-click menu option to run an executable in a sandbox for a while.
When I read the title, I initially thought it was about infection through IDE ("do you trust the authors of this project" is there for a very good reason and in the case of VS Code attackers can get code execution before the prompt through Git config trickery).
I'd be wary of executing a program, but I bet I would click the "sure enable code execution" button if a recruiter sent me a coding challenge in the form of an incomplete project with a Git repo. Especially if they could set up a remote interview process where they want to go through code live "to see how I approach problems".
Right nowt he attack is super basic, but it's not hard to make the initial infection harder to detect in time.
At first I thought this was more clever than it was. Taking people into running downloaded or attached exe files is simple and apparently still effective.
But what would be even more wicked, and effective would be pointing them to a GitHub repo with the “challenge” project to complete, and referencing a compromised package that does their bidding as the victim tests their solution.
Yeah I was thinking about that. Even asking me to use a specific package for any reason, I probably wouldn't think much of that before today. However now I'd certainly question it.
Knowing what they were trying to do actually makes me wish I were the one they were trying to trick. I know these aren't regular lame script kiddies, but I wonder how they'd react to an attempted counter-offensive.
Give me an .exe and ask me to run it, and I'll open it in a hex editor for inspection instead. If what you claim is a "hello world" or Fibonacci generator is much bigger than I'd expect (a few KBs) and contains encrypted-looking data or other attempts at obfuscation, I'm not running it.
I’ve suggested binary distribution as part of a black box exercise in the past. Locking down the source and being able to change details for each candidate would mean solutions posted online would not help.
Any particular reason you’re being so combative about this?
I’m talking about a take home code challenge. It’s unreasonable to have someone to record a video that could last an hour or more. And I’m not gonna sit and watch that.
