North Korean threat actors have expanded the DEV#POPPER campaign, deploying new malware variants targeting developers across South Korea, North America, Europe, and the Middle East.
Leveraging social engineering, these adversaries deliver malware via deceptive job interviews, compromising Windows, Linux, and macOS systems.
Advanced evasion techniques and expanded capabilities characterize this evolving threat, demanding robust countermeasures to protect against sophisticated attacks.
In a lure file attack, attackers posing as interviewers send a ZIP file (e.g., onlinestoreforhirog.zip) containing legitimate files and a malicious JavaScript code hidden within a seemingly harmless server-connection file (e.g., printfulRoute.js).
The obfuscated code, making use of techniques like base64 encoding, dynamic names, and string manipulation, evades detection by both antivirus (low positive rate on VirusTotal) and human analysis. Once executed with “npm install” and “npm start,” the malicious code triggers the infection chain.
Highly obfuscated JavaScript code, employing techniques like base64 encoding and string manipulation, rendered initial analysis impossible. Deobfuscation revealed a concealed C2 address, reconstructed from fragmented base64-encoded components.
While the full code complexity precludes a detailed explanation, its overall functionality suggests malicious intent, necessitating further in-depth analysis to fully understand its capabilities and potential threats.
The main function, “M,” serves as the script’s orchestrator, dynamically adapting to Windows, Linux, or macOS environments, which initiates data extraction by constructing platform-specific paths and variables and delegating extraction tasks accordingly.
Subsequently, C2 communication modules construct URLs, prepare form data, and execute HTTP POST requests to a designated IP and port, transmitting extracted data to a remote server.
Malware gathers system information (hostname, platform, timestamp) and potentially sensitive data (files, logs) into a form object and then sends this data, along with a unique system identifier and payload type identifier, to a C2 server for analysis and tracking.
A separate function manages downloading next-stage payloads, which builds a URL using curl and attempts to download a file to a temporary location. The function checks for download success by verifying file existence and size against a timestamp threshold.
If unsuccessful, it retries with a counter limit to prevent infinite loops. Upon successful download, the file is renamed and extracted using tar in the user’s home directory, allowing the malware to update itself with new functionalities from the C2 server.
A Python-based malware, delivered via a .zip archive, installs a malicious script (.npl) and its dependencies (.pyp) on the victim’s system, which is heavily obfuscated using base64 encoding and XOR encryption, functions as a Remote Access Trojan (RAT).
Once decrypted, it reveals extensive capabilities, including system information gathering, geolocation tracking, C&C communication, remote command execution, file transfer, keylogging, clipboard monitoring, and persistent infection through reconnection attempts.
According to Securonix, the malware can recursively search and list files/directories, filter based on size and extensions for upload, and target geolocation data and specific system information.
After compromising a host, it steals browser cookies, including Chrome extensions’ data, exfiltrates information every 10 minutes, and also downloads additional payloads, receives and executes commands, logs keystrokes, and steals passwords based on OS type.
.webp?w=1200&resize=1200,0&ssl=1&description=Leveraging social engineering, these adversaries deliver malware via deceptive job interviews, compromising Windows, Linux, and macOS systems. ){kind=link}