The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
Activity cluster, Dub DEV#POPPER And linked to North Korea, victims have been isolated in South Korea, North America, Europe and the Middle East.
“This form of attack is a sophisticated form of social engineering, designed to trick individuals into revealing confidential information or performing actions they would not normally do,” said Securonics researchers Dan Yuzuk and Tim Peck. can do,” Reports Shared with The Hacker News.
DEV#POPPER is the moniker. Assignment For an active malware campaign that encourages software developers to download bobbytrap software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious interview.
Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers Exposed Samples targeting both Windows and macOS that delivered an updated version of the malware called BeaverTail.
Image source: Palo Alto Networks Unit 42 |
The attack sequence documented by Securonix is more or less consistent with threat actors posing as interviewers for developer positions and asking candidates to download a ZIP archive file for a coding assignment. Emphasize.
Accompanying the archive is an npm module that, once installed, triggers an obfuscated JavaScript (ie, BeaverTail) process to determine the operating system it’s running on and extract the data of interest. Connects to a remote server.
It is also capable of downloading next-stage payloads, including a Python backdoor called InvisibleFerret, which collects detailed system metadata, accesses cookies stored in web browsers, executes commands, files Designed to upload/download as well as log keystrokes and clipboard. Content
New features added to recent prototypes include the use of better obfuscation, AnyDesk Remote Monitoring and Management (RMM) software for consistency, and improvements to the FTP mechanism used for data export.
Additionally, the Python script acts as a conduit to run a subscript that is responsible for stealing sensitive information from different web browsers – Google Chrome, Opera, and Brave – on different operating systems.
The researchers said, “This latest extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on extracting sensitive information from victims, although now much more sophisticated. with strong capabilities,” the researchers said.
The findings come as Recorded Future revealed that North Koreans continue to use foreign technology – such as Apple, Samsung, Huawei, and Xiaomi devices – as well as Facebook, X, Instagram. , various social media platforms like WeChat, Line, and QQ. to access the Internet despite heavy restrictions.
Another significant change in internet user behavior relates to the use of virtual private networks (VPNs) and proxies to circumvent censorship and surveillance, as well as the use of McAfee’s anti-virus software, indicating that the country is becoming increasingly isolated. Not as much as it’s made out to be.
“Despite sanctions, North Korea continues to import foreign technology, often through its trade ties with China and Russia,” the company said. said. “This indicates a shift toward greater operational security awareness among users who seek to avoid detection by the government.”