Analysis Summary

Software developers are the subject of a persistent social engineering campaign that poses as a job interview and uses fake npm packages to lure people into downloading a Python backdoor. Under the moniker DEV#POPPER, a cybersecurity company is monitoring the activity and connecting it to North Korean threat actors.

“In the case of the DEV#POPPER attack campaign we’ve been observing, an interesting form of social engineering was noted which involves the targeting of specific professional groups such as software developers,” the cybersecurity analysts said.

The developers are frequently required to download and run software from websites that seem authentic, like GitHub, as part of these bogus interviews. Once the malicious Node JS payload in the app is executed, the developer's system gets compromised. Researchers first revealed details of the campaign in late November 2023. The activity cluster, called Contagious Interview, involves threat actors posing as employers to trick software developers into installing malware like BeaverTail and InvisibleFerret during the interview process.

Subsequently, in early February, a software supply chain security company discovered a collection of malevolent packages on the npm registry that disseminated identical malware families to extract confidential data from breached developer workstations. It's important to note that Contagious Interview and Operation Dream Job (also known as DeathNote or NukeSped) are not the same. According to researchers, the former targets developers primarily through the use of fictitious identities on freelance job portals, while the latter uses npm packages and developer tools to lead to BeaverTail and InvisibleFerret.

Operation Dream Job is a long-running offensive effort that distributes malware by sending malicious files disguised as job offers to unsuspecting individuals working in a variety of areas, including aerospace, cryptocurrency, defense, and others. It is associated with the infamous Lazarus Group from North Korea. It was discovered by cybersecurity experts in early 2020 and has similarities to two other Lazarus clusters, Operation In(ter)ception and Operation North Star.

The first step in the attack chain described by the cybersecurity firm is a ZIP archive located on GitHub, which is probably transmitted to the victim during the interview. There is a harmless npm module in the file called BeaverTail, which contains a malicious JavaScript file that loads a Python backdoor called InvisibleFerret from a remote site and steals data. The implant can execute commands, enumerate and exfiltrate files, and log keystrokes and the clipboard in addition to collecting system information.

This suggests that threat actors based in North Korea are constantly refining a wide range of tools for their arsenal of cyberattacks. They are also regularly upgrading their tools to better conceal their activities, blend in with host systems and networks, steal information, and profit from breaches.

Maintaining a security-focused mindset is crucial when it comes to attacks that stem from social engineering, particularly in high-pressure settings such as job interviews. Because the person on the other end is highly distracted and considerably more vulnerable, the attackers behind the DEV#POPPER campaigns take advantage of this.

Impact

• Command Execution
• Sensitive Information Theft
• Keylogging
• Data Exfiltration

Indicators of Compromise

SHA1

• bd89039c11ca71e522edac50a07e04b489caaaaf

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies
• Use multi-factor authentication: Implement multi-factor authentication for all accounts to make it more difficult for attackers to gain access to sensitive systems and data.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Keep software up-to-date: Ensure that all software is kept up-to-date with the latest security patches to minimize the risk of vulnerabilities being exploited.
• Monitor network traffic: Monitor network traffic for unusual or suspicious activity, which may indicate an attack is underway.
• Conduct regular security training: Provide regular security training to all employees to ensure they are aware of the latest threats and how to protect against them.
• Conduct regular security assessments: Conduct regular security assessments to identify vulnerabilities and weaknesses that could be exploited by attackers.