Threat actors behind an ongoing malware campaign targeting software developers have introduced new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
The activity cluster, dubbed DEV#POPPER and linked to North Korea, has targeted victims across South Korea, North America, Europe, and the Middle East.
“This attack represents an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions they might normally avoid,” Securonix researchers Den Iuzvyk and Tim Peck stated in a new report shared with The Hacker News.
DEV#POPPER is an active malware campaign that deceives software developers into downloading malicious software hosted on GitHub under the guise of a job interview. It shares similarities with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.
Indications that the campaign was broader and cross-platform in scope surfaced earlier this month when researchers discovered artifacts targeting both Windows and macOS, delivering an updated version of a malware called BeaverTail.
The attack chain documented by Securonix involves threat actors posing as interviewers for a developer position and urging candidates to download a ZIP archive file for a coding assignment. Included in the archive is an npm module that, once installed, executes obfuscated JavaScript (i.e., BeaverTail), which determines the operating system and establishes contact with a remote server to exfiltrate data.
The malware can also download subsequent payloads, including a Python backdoor called InvisibleFerret, designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, and log keystrokes and clipboard content.
Recent samples have added features such as enhanced obfuscation, the use of AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism for data exfiltration.
Furthermore, the Python script acts as a conduit to run an auxiliary script responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.
“This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities,” the researchers said.