Malicious Software from North Korea Targets Programmers on Windows, Linux, and macOS
An ongoing malware campaign aimed at software developers has revealed new malware and strategies, broadening its scope to encompass Windows, Linux, and macOS platforms.
The group of hackers, known as DEV#POPPER and associated with North Korea, has been identified targeting victims in South Korea, North America, Europe, and the Middle East.
“This method of attack represents a sophisticated type of social manipulation, crafted to coerce individuals into revealing sensitive data or carrying out actions they wouldn’t typically do,” shared Securonix researchers Den Iuzvyk and Tim Peck in a recent report, as reported by The Hacker News.
DEV#POPPER is the name given to an active malware campaign that deceives software developers into downloading risky software from GitHub, masquerading as part of a job interview process. This campaign shares similarities with another one identified by Palo Alto Networks Unit 42 known as Contagious Interview.
Indications of the campaign’s wide reach and cross-platform capabilities surfaced earlier this month when researchers discovered elements targeting both Windows and macOS, deploying an updated version of malware named BeaverTail.
The sequence of attacks detailed by Securonix remains quite consistent, where the hackers impersonate interviewers for a developer role and urge applicants to download a ZIP file containing a coding assignment.
Within this archive is an npm module that, upon installation, triggers the activation of a concealed JavaScript code (i.e., BeaverTail) that checks the operating system in use and connects to a remote server to extract specific data.
It also has the ability to fetch subsequent malicious payloads, such as a Python backdoor named InvisibleFerret, intended for collecting system information, accessing web browser cookies, executing commands, transferring files, and logging keystrokes and clipboard data.
New additions to the recent instances involve heightened code obfuscation, the integration of AnyDesk remote monitoring and management (RMM) software to ensure persistence, and enhancements to the FTP mechanism utilized for data theft.
Moreover, the Python script serves as an intermediary for running an auxiliary script responsible for siphoning sensitive data from various web browsers – Google Chrome, Opera, and Brave – running on different operating systems.
“This sophisticated extension to the original DEV#POPPER campaign continues to harness Python scripts for executing a multi-step attack aimed at extracting confidential data from victims, albeit with significantly enhanced functionalities,” noted the researchers.
About Author
