A new malware campaign named DEV#POPPER [1] [4] [5], associated with North Korea, is targeting software developers globally with fake job interviews [3], now expanding to Windows [5], Linux [1] [2] [3] [4] [5], and macOS systems [1] [2] [5].
Description
The threat actors behind DEV#POPPER have broadened their tactics to infiltrate widely-used systems in various regions, indicating a shift in focus [4]. Developers are tricked into downloading malicious software under the guise of job interviews [1] [2], with recent tactics involving a trojanized Nodejs project. The malware, known as BeaverTail [5], is delivered through a ZIP archive file containing an npm module that executes obfuscated JavaScript to establish contact with a remote server for data exfiltration [5]. Additional payloads include a Python backdoor called InvisibleFerret [2] [5], capable of gathering system metadata [5], accessing browser cookies [5], executing commands [5], and logging keystrokes and clipboard content [5]. Recent samples of the campaign feature enhanced obfuscation [5], the use of AnyDesk remote monitoring software for persistence [1] [5], and improvements to the FTP mechanism for data exfiltration [1] [5]. The Python script also steals sensitive information from web browsers such as Google Chrome [1] [2] [5], Opera [1] [2] [5], and Brave across different operating systems [1] [5], making the campaign a sophisticated multi-stage attack focused on exfiltrating sensitive data [5]. Victims in South Korea [2], North America [2] [5], Europe [2] [5], and the Middle East have been targeted [2], with the campaign evolving with more robust capabilities [1].
Conclusion
The DEV#POPPER malware campaign poses a significant threat to software developers worldwide, with impacts on data security and privacy. Mitigations such as updating security software and being cautious of job interview invitations from unknown sources are recommended. The evolving nature of the campaign highlights the need for continuous vigilance and proactive cybersecurity measures to protect against such sophisticated attacks in the future.
References
[1] https://cyber.vumetric.com/security-news/2024/07/31/north-korea-linked-malware-targets-developers-on-windows-linux-and-macos/
[2] https://indoguardonline.com/2024/07/31/malware-linked-to-north-korea-targets-windows-linux-and-macos-developers/
[3] https://www.csoonline.com/article/3479795/north-korean-cyberspies-trick-developers-into-installing-malware-with-fake-job-interviews.html
[4] https://www.krofeksecurity.com/north-korea-linked-malware-strikes-developers-across-windows-linux-and-macos/
[5] https://thehackernews.com/2024/07/north-korea-linked-malware-targets.html
