Attackers behind a campaign that targets developers from around the world using fake job interviews have expanded their toolset with an information stealing script that also supports Linux and macOS in addition to Windows. As part of the practical portion of the fake interview, developers are tricked into downloading and deploying a trojanized Node.js project on their machines that kicks off the infection chain.
The attack campaign, dubbed DEV#POPPER, was originally reported in April by researchers from security firm Securonix who attributed it to a North Korean threat actor. Despite having their malware and techniques outed, the attackers have continued their campaign and have expanded their victim pool by adding new malware samples and support for more operating systems.
Software developers are valuable targets for state actors
Software developers have long been valuable targets for attackers, especially state-sponsored groups, because their machines often store sensitive information, source code, access tokens, and other credentials used to access development systems and infrastructure. In addition to enabling typical espionage activities, developer credentials can be useful in planning and executing software supply chain attacks, which North Korean state-affiliated threat groups are known to engage in.
In November, the Lazarus group, North Korea’s primary cyberespionage and sabotage arm, compromised a Taiwanese multimedia software company called CyberLink and trojanized the installer for one of its commercial applications. In February, Japan’s CERT reported that Lazarus uploaded malicious Python packages to PyPI, the official Python package repository.
One of the dangers of campaigns like DEV#POPPER is that some victims who fall for the fake job interview lure are current employees looking for better opportunities. As such, they likely have credentials and information about projects as part of their current jobs, highlighting the importance of treating developer machines as critical assets with strict access control and monitoring.
“Based on the gathered telemetry, no specific trend in victimology was identified,” the Securonix researchers wrote in their new report. “However, analysis of the collected samples revealed victims are primarily scattered across South Korea, North America, Europe, and the Middle East, indicating that the impact of the attack is widespread.”
North Korean attackers not only target developers with fake job interviews to infiltrate companies, but actually pose as developers in order to get hired. Security training firm KnowBe4 recently reported that a suspected North Korean actor used a fake identity to pass background checks and get hired at the company and then attempted to deploy malware on the work laptop sent to him as part of the hiring process.
Malicious JavaScript hidden in test project
According to Securonix, during the fake interview process candidates are asked to download code projects from what appear to be reputable sources such as GitHub and then deploy them on their machines. These projects include dozens of legitimate files, but one of them has a highly obfuscated JavaScript function that starts an infection chain.
In the latest iteration of the attack, candidates were asked to download a file called onlinestoreforhirog.zip, which by its name suggests is being presented as the source code for an online store project. Since this is a Node.js project, developers are asked to unpack it then run “npm install” and “npm start” to deploy it, which will execute the hidden JavaScript.
The malicious code uses several obfuscation techniques, including Base64 encoding, dynamic function and variable names, concatenation and split strings, and prototyping obfuscation. Only 3 out of 64 antimalware engines on VirusTotal detected this file as suspicious at the time of discovery.
Once executed, the malicious script detects the operating system (Windows, Linux, or macOS) and then continues its execution flow based on the platform. The script collects information about the system as well as files and logs and uploads them to the command-and-control (C&C) server along with generated identifiers to uniquely identify the machine.
The script then executes a function that downloads a file from the C&C server called pdown that’s actually an archive saved locally as p2.zip. This archive contains the next stage of the attack, which is a Python script called .npl which then decrypts another Python script called pay.
RAT updated with new functionality
The pay script acts as a remote access tool (RAT) that collects detailed system and network information, as well as geographical location based on IP address. It allows attackers to collect information from the system and upload it to a remote server via FTP. It also logs keystrokes and information copied to the clipboard and allows the execution of commands and additional payloads.
Compared to the variant seen in April, the new RAT version observed in the latest campaigns also can deploy Anydesk Remote Monitoring and Management (RMM) software, which gives attackers remote desktop access to the victim’s system.
One additional payload seen by researchers is a Python script called browser_cookie3, which extracts saved information such as passwords and session cookies from browsers. The script can detect different OS versions and adapt accordingly, since browsers will have different application data directories and user profile locations across operating systems.
“This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities,” the researchers wrote. “It appears that the threat actors behind the malware continue targeting software engineers through social engineering tactics, such as fake job interviews to gain initial access to their machines.”
The Securonix report includes MITRE ATTACK TTPs and IoCs such as file hashes and C2 IP addresses that can be used by security teams to build detections and perform threat hunting.