Fake job interviews target developers with new Python backdoor

Fake job interviews target developers with new Python backdoor

April 26, 2024 at 10:23AM

A campaign named “Dev Popper” is targeting developers with fake job interviews to trick them into downloading and running a Python remote access trojan (RAT), enabling the threat actors to gather system information and gain remote access. Analysts suspect North Korean involvement based on observed tactics. Similar tactics have been used by North Korean hackers in the past.

Key Takeaways from Meeting Notes:

1. The “Dev Popper” campaign targets software developers with fake job interviews to trick them into installing a Python remote access trojan (RAT) in an attempt to gather system information and enable remote access.

2. The attackers pose as employers offering software developer positions and ask the candidates to download and run what appears to be a standard coding task from a GitHub repository.

3. The coding task is actually a ZIP archive containing an NPM package with a hidden obfuscated JavaScript file (“imageDetails.js”) that executes ‘curl’ commands to download an additional archive (“p.zi”) from an external server, which includes an obfuscated Python script that functions as a RAT.

4. Once the RAT is active on the victim’s system, it collects and sends basic system information to the command and control (C2) server and supports persistent connections, file system commands, remote command execution, data exfiltration, clipboard and keystroke logging.

5. The tactic of using job lures as bait to infect people with malware is a prevalent threat, exploiting the developer’s professional engagement and trust in the job application process.

6. The “fake job offer” tactic has been used by North Korean hackers in multiple operations and has targeted security researchers, media organizations, software developers (especially for DeFi platforms), employees of aerospace companies, along with utilizing spear-phishing attacks to collect intelligence from various organizations.

7. Although Securonix analysts believe the “Dev Popper” campaign is likely orchestrated by North Korean threat actors, the connections are not strong enough for attribution.

These clear takeaways summarize the key points from the meeting notes, outlining the nature of the “Dev Popper” campaign and the associated threats posed by North Korean hackers.

Full Article