A persistent scheme aimed at software developers involves fraudulent npm packages disguised as job interview opportunities, with the intention of deploying a Python backdoor onto their systems.
Securonix, a cybersecurity company, has been monitoring this campaign, dubbed DEV#POPPER, which they attribute to North Korean threat actors.
"During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system."
Details of this campaign surfaced in late November 2023, when Palo Alto Networks Unit 42 revealed a series of activities known as Contagious Interview. Here, the threat actors masquerade as employers to entice developers into installing malware such as BeaverTail and InvisibleFerret during the interview process.
Subsequently, in February of the following year, Phylum, a software security firm, uncovered a collection of malicious npm packages on the registry. These packages delivered the same malware families to extract sensitive information from compromised developer systems.
It's important to distinguish Contagious Interview from Operation Dream Job, also linked to North Korea's Lazarus Group. The former targets developers primarily through fabricated identities on freelance job platforms, leading to the distribution of malware via developer tools and npm packages.
Operation Dream Job, on the other hand, extends its reach to various sectors like aerospace and cryptocurrency, disseminating malware-laden files disguised as job offers.
The attack sequence identified by Securonix begins with a GitHub-hosted ZIP archive, likely sent to the victim during the interview process. Within this archive lies an apparently harmless npm module housing a malicious JavaScript file, BeaverTail, which serves as an information thief and a loader for the Python backdoor, InvisibleFerret, retrieved from a remote server. This implant can gather system data, execute commands, enumerate files, and log keystrokes and clipboard activity.
This development underscores the continued refinement of cyber weapons by North Korean threat actors, as they update their tactics to evade detection and extract valuable data for financial gain.
Securonix researchers emphasize the importance of maintaining a security-conscious mindset, particularly during high-pressure situations like job interviews, where attackers exploit distraction and vulnerability.