DEV#POPPER is a social engineering campaign that has been tracked recently by the Securonix Threat Research team. Social engineering is a topic we have covered many times, but ultimately what it boils down to is that social engineering attacks are generally geared towards tricking victims into compromising themselves. With that in mind, the primary target for the DEV#POPPER campaign appears to be software developers who are looking for work.
Job interviews can be an effective cover for social engineering attacks given that people have an inherent trust in the process and refusing to do things a certain way could be perceived as potentially compromising a job opportunity.
The initial stage of this attack involves downloading an NPM package from GitHub. On the surface, the package seems legitimate enough, except for a suspicious JavaScript file, which can be seen in the image below.
(Source: Securonix)
The appearance of the scrollbar on this file indicates that more code exists within this file to the right and indeed scrolling does reveal obfuscated code seen in the bottom screenshot. If this code is executed, it will download an additional archive payload and extract a .npl file, which presumably contains the leading dot to indicate to the operating system that it’s a hidden file.
(Source: Securonix)
This downloaded file is a Python script that acts as a remote access trojan, or a RAT. Analysis has revealed that this script performs a variety of functions such as maintaining persistent connection for ongoing control, using file system commands to search for and steal specific files, remote command execution, exfiltrating data through FTP from popular folders like Downloads and Documents, in addition to keylogging for monitoring activity and possibly capturing credentials.
Attacks using fake job interviews appears to be a popular tactic among North Korean threat groups. The state-sponsored Lazarus group is attributed with Operation Dream Job, which is a campaign that’s been tracked as far back as the beginning of 2020 by Clear Sky analysts. This campaign involved multiple attack waves in which the group would attempt to lure targets in with fraudulent job offers in an attempt to propagate varying types of malware, some of which were even designed for Linux systems. Fake LinkedIn profiles were used in this campaign and communication with targets occurred over email, direct phone calls, and WhatsApp. The job opportunities in this campaign were typically presented as being from high profile companies like Boeing, McDonnel Douglas, or BAE Systems.
Another campaign that is tracked as UNC2970 was observed having multiple overlaps with Operation Dream Job since June of 2022. This group is believed with high confidence by Mandiant to also be UNC577, which is also connected to North Korean operators and their activity had been seen as early as 2013. This campaign had also been targeting users on LinkedIn with job opportunities. Like the other campaigns we have seen, phishing payloads would be delivered through email or directly over WhatsApp. The two UNC campaigns appeared to be sharing both code and tools.
In general, the payloads for these kinds of attacks can be delivered under a variety of circumstances. As we saw with DEV#POPPER, payloads can be contained within software packages that appear to be needed to perform an assessment. A payload can also be delivered in the form of a stylized Word document masquerading as a job description, an example of which we can see below. Payloads have also been seen in the form of ISO images that can deploy backdoors to systems.
(Source: Mandiant)
When thinking about preventing this sort of attack, it is important to remain security-aware, especially during a high-stress situation such as a job interview. It is also important to verify the identity of the potential employer by verifying contact information by consulting official websites and social channels. It could also be helpful to reach out using official channels rather than simply replying to recruitment emails.
In the case of having to run code as a part of a job interview, it will be worth monitoring common malware staging directories for suspicious activity. With DEV#POPPER, staging directories will be located under the current user’s AppData directory. Secondly, and perhaps more preferably, more secure development environments such as virtual machines or containers can be used to test code. These technologies can help to isolate malicious software from the main operating system on the machine.
In summary, we gave a little bit of an overview on DEV#POPPER. It is a social engineering campaign that’s been recently tracked by the Securonix Threat Research team. It is targeting software developers under the guise of a fake job interview and is attempting to lure them into downloading a Python based remote access trojan. This trojan facilitates several malicious activities such as remote command execution, file exfiltration, and keylogging.
Next, we went over a couple of other similar campaigns dating back to at least 2013. We also highlighted the fact that many fraudulent job interview attacks, potentially even DEV#POPPER, are perpetrated by North Korean threat actors. All these campaigns have a variety of similarities like where they find their targets and what their goals are. The malicious payloads of these campaigns can take on a variety of forms like fake job descriptions, fake assessment tests, etc.
Lastly, we went over a few tips regarding attack prevention. It is always useful to remain security-minded, but it will be worth verifying the identity of potential future employers by utilizing official channels or consulting with colleagues. Then, if running code is necessary for a job interview, using a safe environment like a virtual machine or container will be a good approach.
[3]: https://www.clearskysec.com/operation-dream-job/
[4]: https://thehackernews.com/2023/04/lazarus-group-adds-linux-malware-to.html
[5]: https://thehackernews.com/2023/03/north-korean-unc2970-hackers-expands.html
[6]: https://thehackernews.com/2022/09/north-korean-hackers-spreading.html
[7]: https://cloud.google.com/blog/topics/threat-intelligence/lightshow-north-korea-unc2970
[8]: https://www.purevpn.com/blog/news/beware-of-false-job-offers-the-rise-of-dev-popper-attacks/
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments