An ongoing social engineering marketing campaign is focusing on software program builders with bogus npm packages underneath the guise of a job interview to trick them into downloading a Python backdoor.
Cybersecurity agency Securonix is monitoring the exercise underneath the title DEV#POPPER, linking it to North Korean menace actors.
“Throughout these fraudulent interviews, the builders are sometimes requested to carry out duties that contain downloading and working software program from sources that seem professional, reminiscent of GitHub,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov stated. “The software program contained a malicious Node JS payload that, as soon as executed, compromised the developer’s system.”
Particulars of the marketing campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an exercise cluster dubbed Contagious Interview by which the menace actors pose as employers to lure software program builders into putting in malware reminiscent of BeaverTail and InvisibleFerret by way of the interview course of.
Then earlier this February, software program provide chain safety agency Phylum uncovered a set of malicious packages on the npm registry that delivered the identical malware households to siphon delicate data from compromised developer programs.
It is price noting that Contagious Interview is alleged to be disparate from Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker Information that the previous is “centered on focusing on builders, primarily by way of pretend identities in freelance job portals, and the subsequent phases contain using developer instruments and npm packages resulting in […] BeaverTail and InvisibleFerret.”
Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a long-running offensive marketing campaign that sends unsuspecting professionals employed in numerous sectors like aerospace, cryptocurrency, protection, and different sectors malicious recordsdata dressed as job affords to distribute malware.
First uncovered by Israeli cybersecurity agency ClearSky initially of 2020, it additionally reveals overlaps with two different Lazarus clusters often known as Operation In(ter)ception and Operation North Star.
The assault chain detailed by Securonix begins with a ZIP archive hosted on GitHub that is probably despatched to the goal as a part of the interview. Current throughout the file is a seemingly innocuous npm module that harbors a malicious JavaScript file codenamed BeaverTail that acts as an data stealer and a loader for a Python backdoor referred to as InvisibleFerret that is retrieved from a distant server.
The implant, apart from gathering system data, is able to command execution, file enumeration and exfiltration, and clipboard and keystroke logging.
The event is an indication that North Korean menace actors proceed to hone a raft of weapons for his or her cyber assault arsenal, persistently updating their tradecraft with improved skills to cover their actions and mix in on host programs and networks, to not point out siphon off information and switch compromises into monetary acquire.
“In the case of assaults which originate by way of social engineering, it’s vital to keep up a security-focused mindset, particularly throughout intense and demanding conditions like job interviews,” Securonix researchers stated.
“The attackers behind the DEV#POPPER campaigns abuse this, figuring out that the individual on the opposite finish is in a extremely distracted and in a way more susceptible state.”