Developers beware of fake recruiters on linkedIn or The Legend of John (Jack) Hemm

The Approach...enchanté

The moment I received a message from John (Jack) Hemm, I knew something wasn't quite right. He claimed to be CEO of a self-employed company, which, as far as I know, is impossible because a company is a separate legal entity. Unless, of course, this company somehow gained sentience, declared independence, started organising coffee shop meetings, and began networking on LinkedIn.

The profile picture also looked a little off, sort of like Colonel Sanders as a weird magician (or maybe the bad guy in some weird 80's kung fu movie) but AI-generated? not to mention the fact that he claimed to be a public defender while simultaneously the CEO of a self-employed company developing a chatbot app using OpenAI. To add to the confusion, his typing was so sloppy it made me wonder if he was illiterate or perhaps fiddling with a Paul Daniels magic set frantically whilst trying to scam me.

Can you see the look of concealed trickery, the pure deviousness?

Here's the first message:

Hi Michael,

I'm John and CEO of a Self-Employed company.

Currently, we are going to update our AI chatbot application UI.

I would like to with you as I have reviewed your profile and believe that you would be a good fit for this position.

The collaboration period is currently 3 months and we are willing to pay $80~100 per hour.

If you are looking for a new opportunity, let's discuss more.

Best regards,

John.

What would he like to do with me? I think he started with "scam" in mind, then shifted to "work", but then some moral glitch in his brain caused him to lose the word entirely. I was intrigued, so I decided to play along just to see if I could untangle this mystery.

The plot thickens

I replied to express my interest, and he offered me access to their repository to run the code and check the project's progress. He also sent me a Calendly link to book a call.

Investigating the code

At this point I was just interested to see if I could identify the malicious code, and what I ended up finding was quite intriguing.

It didn't take me long to quickly go over some of the main files and, in particular, the entry points to the application when I found this:

The start script was used with the pipe operator, which seems unusual. The pipe operator typically directs the output of one command to another, but this doesn’t make sense here, as the test command generates output that isn’t usable by the start script. This suggests that something specific is happening in the test script that they want to trigger during the start process. Additionally, the inclusion of --openssl-legacy-provider could indicate an attempt to bypass stricter cryptographic policies, which might also be exploited to weaken security or introduce vulnerabilities.

So on gitHub I took a look at the test file and saw this:

At first glance there's nothing happening here just a render function which logs something to the console, but an absence of tests...so why is it so important to run this on start?

hmmm something doesn't seem quite right so I clicked on view raw code and then I saw this:

loooooooooooooooool
Bingo a bunch of obfuscated code, the file must contain some javaScript which modifies what you see when viewing it in GitHubs UI.

I threw it into a Deobfuscator like so:

And then I saw the malicious code, which is an absolute headache to read so I just chucked it into chatGPT to decipher and this is what it found:

Key Observations:

1. Obfuscation:
   • The code uses heavily obfuscated variable names and logic, making it difficult to read directly.
   • Functions like _0x40b9, _0x37be, and _0x3f8d69 are likely designed to decode or remap other parts of the script.
2. Behavior:
   • The script collects sensitive data from the host machine, such as:
   • Browser data: It scans directories related to Chrome, Brave, and other browsers for profiles and login data.
   • System information: Reads hostnames, platforms, home directories, temporary directories, and system keychains.
   • Files are uploaded to a remote server at http://185.153.182.241:1224.
3. Potential Malicious Intent:
   • The script accesses sensitive directories (~/AppData, ~/.config, ~/Library, etc.).
   • Attempts to read and send browser extensions and stored data to a remote endpoint.
   • Fetches and executes code from a remote server (/client/106/314 and /pdown).
4. Indicators of Compromise:
   • Creates and executes files in directories such as /.pyp/, /.sysinfo, and .config/solana/id.json.
   • Continuously retries actions via loops and intervals (e.g., setInterval every 20 seconds and 300 seconds).
5. Execution:
   • Spawns subprocesses via child_process.exec, such as extracting files or executing Python scripts.

This script is almost certainly malware designed to steal sensitive data and execute additional malicious payloads. It targets multiple platforms (Windows, Linux, and macOS) and browsers, exfiltrating data to a remote server.

The Risks

Here's the worst of what could happen if you run a script like this -

• Data Theft:
  • Theft of sensitive files like browser credentials, cryptocurrency wallet data, and system configuration files.
• System Compromise:
  • Remote execution of additional malicious payloads (e.g., ransomware, spyware, or backdoors), giving the attacker further control of your system.
• Financial Loss:
  • Unauthorized access to cryptocurrency wallets or stored financial credentials could result in stolen funds.
• Identity Theft:
  • Personal data exfiltrated from your system could be used for identity theft or sold on the dark web.
• System Instability and Malfunction:
  • The malware's persistence mechanisms and modifications to files or system settings could cause instability, slowdowns, or crashes.

The Rude goodbye...and paranoid residue

After catching him red handed I sent the following message on linkedin:

Hey John,

I ran the code you sent me. Immediately, my screen filled with what looked like hieroglyphs, and now my Wi-Fi network is named 'Capybara Uprising HQ.'

Moments later, a gang of capybaras showed up at my door wearing little vests and hats, demanding I appoint one as my 'Chief Snacks Officer.' They’ve since taken over my living room and turned it into a tiny command station. How do I proceed with the next steps?

At which point I received a question mark, and his account seemed to self-terminate, he blocked me, and I reported them on both LinkedIn and GitHub.

I did some digging, and it turns out the lawyer is real. Either someone is impersonating him, they’ve set up this site to appear legitimate, or John—or Jack, or whatever his name is—is channelling some Better Call Saul-style downfall and dabbling in nefarious activities.

Shout out if you need a public defender.
https://www.dunganattorney.com/attorney/hemm-john-e-jack/
(unaffiliated link)

Anyway the moral of the story is...

If you say John Jack Hemm 20 times in the mirror in the dark, apparently he spawns behind you with a little Paul Daniels head growing out of his neck like some monster from the thing (he's jacked af too, so you can't escape) he tries doing some weird magic trick which fails and then plugs github into your brain and downloads every single repository.....Nah.

No, seriously, there are a lot of scammers out there, especially on LinkedIn, and I guess some of them will be a lot more sophisticated than this one, so be careful.