An ongoing social engineering campaign is targeting software developers using fake npm packages under the guise of job interviews to trick them into downloading a Python backdoor.
Cybersecurity company Securonix tracks this activity under this name. Fat #popperlinking it to North Korean threat actors.
Security researchers Den Iuzvik, Tim Peck, and Oleg Kolesnikov wrote, “In these fraudulent interviews, developers work by downloading and running software from a seemingly legitimate source, such as GitHub.'' “I am often asked to do so,” he said. “The software contained a malicious Node JS payload that, when executed, compromised the developer's system.”
Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 reported that threat actors posed as employers, lured software developers through the interview process, and targeted companies such as BeaverTail and InvisibleFerret. We detailed an activity cluster called Contagious Interview that caused malware to be installed.
And in early February of this year, software supply chain security firm Phylum discovered a set of malicious packages on the npm registry that delivered the same malware family to siphon sensitive information from compromised developer systems.
It is worth noting that Contagious Interview is said to be different from Operation Dream Job (also known as DeathNote or NukeSped). Unit 42 told The Hacker News that the former is “mainly focused on targeting developers through fake identities on freelance job portals, and the next step is to use developer tools and his npm Includes package usage. […] Beavertail and invisible ferret. ”
“Operation Dream Job”, associated with North Korea’s prolific Lazarus group, targeted unsuspecting professionals employed in various fields such as aerospace, cryptocurrencies, defense, and other fields with malware. is a long-running attack campaign that sends malicious files disguised as job offers to distribute .
First discovered by Israeli cybersecurity firm ClearSky in early 2020, it also shows overlap with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.
The attack chain detailed by Securonix begins with a ZIP archive hosted on GitHub that appears to be sent to the target as part of an interview. Inside the file is a seemingly harmless npm module. This module contains a malicious JavaScript file codenamed BeaverTail. This file acts as an information stealer and loader for a Python backdoor called InvisibleFerret that is obtained from a remote server.
In addition to collecting system information, the implant can execute commands, enumerate and extract files, and log clipboard and keystrokes.
This development means that North Korean threat actors continue to hone a number of arsenals in their cyber attack arsenal, improving their ability to conceal their actions and infiltrate host systems and networks, not to mention siphon data and data. This is a sign that they are continually updating their tradecraft. Turn compromise into economic gain.
“When it comes to attacks through social engineering, it's important to maintain a security-focused mindset, especially in intense and stressful situations like a job interview,” Securonix researchers said.
“The attackers behind the DEV#POPPER campaign exploit this knowing that their opponents are highly distracted and more vulnerable.”
