Threat actors behind an ongoing malware attack targeting software developers have demonstrated new malware and tactics, expanding their targeting to Windows, Linux, and macOS systems.
The activity cluster is Developer#Popper The attacks, which have been linked to North Korea, have been found to target victims across South Korea, North America, Europe and the Middle East.
“This style of attack is an advanced form of social engineering designed to manipulate individuals into divulging sensitive information or taking actions they would not normally undertake,” Securonix researchers Den Iusvik and Tim Peck said in a new report shared with Hacker News.
DEV#POPPER is the nickname given to an ongoing malware campaign that uses the guise of a job interview to trick software developers into downloading booby-trapped software hosted on GitHub. It overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.
Signs that the campaign is becoming more widespread and cross-platform in scope emerged earlier this month when researchers discovered artifacts targeting both Windows and macOS delivering an updated version of the malware known as BeaverTail.
The attack chain documentation by Securonix is more or less consistent in that the threat actor poses as an interviewer for a developer position and prompts candidates to download a ZIP archive file for a coding assignment.
The archive contains an npm module that, once installed, triggers the execution of an obfuscated JavaScript (such as BeaverTail), determines the operating system it is running on, and establishes a connection with a remote server to exfiltrate the desired data.
It is also capable of downloading a next-stage payload that contains a Python backdoor called InvisibleFerret, which is designed to collect detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, and log keystrokes and clipboard contents.
New features added to recent samples include the use of improved obfuscation, AnyDesk Remote Monitoring and Management (RMM) software for persistence, and improvements to the FTP mechanism used for data exfiltration.
Additionally, the Python script acts as a conduit to execute auxiliary scripts that steal sensitive information from different web browsers (Google Chrome, Opera, Brave) on different operating systems.
“This sophisticated extension of the original DEV#POPPER campaign continues to leverage Python scripting to carry out multi-stage attacks focused on stealing sensitive information from victims, but now with much more powerful capabilities,” the researchers said.
