North Koreans Target Devs Worldwide With Spyware, Job Offers

  /     /     /  
Publicated : 23/11/2024   Category : security


North Koreans Target Devs Worldwide With Spyware, Job Offers


DEV#POPPER is back, looking to deliver a comprehensive, updated infostealer to coding job seekers by way of a savvy social engineering gambit.



The North Korea-based DEV#POPPER campaign is back, with an updated malware and social engineering arsenal that its using to target software developers worldwide for data theft.
Thats according to research from the Securonix Threat Research team, which found in an analysis today that the
known threat group
is casting a wider net than ever before, having added Linux and macOS variants to its malware toolbox in addition to its existing Windows binary.
The campaign, which focused primarily on South Korea before, has spread out globally, and is also active in Europe, the Middle East, and North America.
Its unclear as to the level of specific targeting the campaign is using, but there are overlaps with other efforts by
North Korean actors to use fake recruiting
in state-sponsored attacks.
I would imagine that the ultimate goal for the attackers is conducting a successful operation against an individual on a corporate or company-owned endpoint, says Tim Peck, senior threat researcher at Securonix. Based on the malware used, its primary purpose is theft. Typically, with financially motivated attacks, we see either ransomware or cryptominers being used.
To lure in their victims, DEV#POPPER threat actors pose as interviewers looking to hire software developers for nonexistent positions. When someone applies, they send off a .ZIP file to the target that purports to be an npm package to be used for testing the applicants coding skills.
The use of practical-style interviews makes for an easy medium for the attackers to run malicious code on the interviewees system, Peck notes. Given the practical nature of developer interviews, it would not be uncommon to be asked to compile or execute code, as opposed to most other types of interviews. In such a use case, it would generally not raise suspicions for the interviewee.
When the interviewee extracts and executes the contents of the package, a well-hidden line of JavaScript code executes, which kicks off the infection chain, the researchers explained in their analysis of the campaign. The .ZIP file contains dozens of legitimate files, making identifying potential foul play difficult to spot if its missed by any installed antivirus.
Antivirus, by way, may indeed miss it: the malicious file, which is obfuscated in multiple ways, has just a 3/64 vendor detection rate on VirusTotal as of the
Securonix blog post
being published today.
The level of savvy scamming is notable: In this particular attack, the lengths that the threat actors go through to pull off their social engineering scheme is quite bold, says Peck. If you think about it, the amount of work needed to host fake job interviews goes way beyond traditional compromise actions such as blasting out phishing emails, for example.
The malware strategy is not just now multiplatform, but is also more sophisticated than its predecessor, according to Securonix.
After deobfuscating the script, the researchers were able to detect the campaigns command-and-control address (C2), as well as a number of malicious functions. The latter includes a fresh main function, dubbed M, which orchestrates data extraction and code execution on different operating systems.
It begins by identifying the platform, constructs paths and variables, and then calls appropriate extraction functions based on the detected OS, according to
the analysis
.
Other functions are in charge of sending the stolen data to the C2, collecting system and geolocation information, and assigning unique identifiers to each infected host (which allows the server to track which data came from which machine). Another function downloads next-stage payloads, while another new addition performs directory traversal, which includes filters to exclude certain files and directories from extraction (in order to appear more legitimate).
Securonix researchers noted that after the script was executed on a compromised host, the attackers then fetched a series of additional payloads culminating in an updated version of a Python script that DEV#POPPER has used before. This performs the actual theft of various sensitive files, plus keylogging and surveillance; one new capability is the ability to steal browser cookies, credit-card information entered into websites, and data for any installed browser extensions.
The risk of running this kind of
information-stealer malware
on a business endpoint could be catastrophic, Peck says. Considering the information stolen, the threat actors would almost immediately have access to all of the users active browser sessions, cookies, and passwords. Additionally, they would have remote access to the endpoint allowing them to embed themselves deeper or attempt to move laterally into other systems that the user might have access to.
While its difficult for businesses to protect against this type of attack, given that they might not be aware that a target is job-hunting, awareness training is always an option on the defensive side.
First, if youre employed and actively interviewing, never conduct the interview on a company-owned appliance, Peck warns. Second, though job interviews are oftentimes stressful situations, maintain a security-focused mindset. Social engineering attacks can be difficult to spot, however if the request seems odd or out of the norm, dont be afraid to back out of a request for fear of rejection or making a situation awkward.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
North Koreans Target Devs Worldwide With Spyware, Job Offers