The DEV#POPPER campaign originating from North Korea has resurfaced with an upgraded malware and social engineering toolkit, aimed at targeting software developers globally for data theft. Recent research conducted by the Securonix Threat Research team has revealed that this known threat group has expanded its reach by incorporating Linux and macOS variants into its malware arsenal, in addition to the existing Windows binary.
Initially focusing on South Korea, the campaign has now extended its operations worldwide, including Europe, the Middle East, and North America. While the specific targeting tactics employed by the campaign remain unclear, there are similarities with other state-sponsored attacks by North Korean actors, particularly in the utilization of fake recruitment schemes.
Tim Peck, Senior Threat Researcher at Securonix, highlighted the primary objective of the attackers, which is to execute successful data theft operations on corporate or company-owned endpoints. The malware employed in these attacks is geared towards theft, with common tactics including ransomware or cryptominers in financially-motivated breaches.
One of the key tactics used by the DEV#POPPER threat actors involves posing as interviewers offering non-existent positions to software developers. By sending a seemingly harmless .ZIP file disguised as an npm package for coding skill assessment, the attackers can execute malicious code on the victim’s system undetected. This method leverages practical-style developer interviews, making it challenging for the interviewee to discern any malicious intent.
The sophisticated nature of this social engineering attack is exemplified by the extensive efforts put into hosting fake job interviews, emphasizing the boldness of the threat actors involved. The malicious file embedded in the .ZIP package has a low detection rate by antivirus software, complicating the identification of potential threats.
In terms of malware functionality, the updated DEV#POPPER campaign features a multiplatform strategy with enhanced sophistication compared to previous versions. Securonix researchers uncovered new malicious functions within the malware, including a main function responsible for data extraction and cross-platform code execution.
The malware employs various techniques to evade detection and operate stealthily on compromised systems, such as sending stolen data to command-and-control servers, collecting system information, and performing directory traversal to avoid detection. The expanded capabilities of the updated malware include the theft of sensitive files, keylogging, surveillance, and the extraction of browser cookies and credit card information.
The implications of running this information-stealer malware on a business endpoint are severe, as it grants threat actors access to sensitive data and enables remote control of the infected system. Despite the challenges in defending against such attacks, awareness training can help mitigate the risks associated with social engineering tactics.
To protect against these threats, individuals are advised to avoid conducting interviews on company-owned devices and maintain a security-focused mindset during job-seeking activities. Remaining cautious and vigilant against suspicious requests can help prevent falling victim to social engineering attacks.