A new cyber threat dubbed DEV#POPPER is currently underway, targeting software developers with deceitful npm packages disguised as job interview opportunities, aiming to dupe them into downloading a Python backdoor. Securonix, a cybersecurity firm, has been monitoring this activity and has associated it with North Korean threat actors.
In this scheme, developers are approached for fake job interviews where they are instructed to execute tasks that involve downloading and running software from seemingly legitimate sources like GitHub. However, the software actually contains a malicious payload in the form of a Node JS script, which compromises the developer's system upon execution. The individuals involved in tracking this activity, namely Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, have shed light on this fraudulent practice.
This campaign came to light in late November 2023 when Palo Alto Networks Unit 42 revealed an operation known as Contagious Interview. Here, threat actors pose as potential employers to entice software developers into installing malware such as BeaverTail and InvisibleFerret during the interview process. Moreover, in February of the following year, Phylum, a software supply chain security firm, uncovered similar malicious packages on the npm registry delivering the same malware families to extract sensitive information from compromised developer systems.
It's important to distinguish Contagious Interview from Operation Dream Job, associated with the Lazarus Group from North Korea. While the former targets developers primarily through fake identities on freelance job portals and utilizes developer tools and npm packages leading to malware distribution, the latter involves sending malicious files disguised as job offers to unsuspecting professionals across various sectors.
Securonix outlined the attack chain, which begins with a ZIP archive hosted on GitHub sent to the target as part of the interview process. Within this archive lies a seemingly harmless npm module containing a malicious JavaScript file, BeaverTail, which acts as an information stealer and a loader for a Python backdoor named InvisibleFerret retrieved from a remote server. This backdoor is capable of various malicious activities, including command execution, file enumeration, exfiltration, clipboard monitoring, and keystroke logging.
This development underscores the ongoing efforts of North Korean threat actors to refine their cyber attack techniques, continuously updating their methods to evade detection and maximize their gains. Maintaining a security-focused mindset, especially during high-pressure situations like job interviews, is crucial in mitigating such social engineering attacks, as highlighted by Securonix researchers. The attackers exploit the vulnerability and distraction of individuals during these situations, emphasizing the need for vigilance and caution.