An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor.
Cybersecurity firm Securonix is tracking activity under this name DEV#POPPERlinking him to North Korean threat actors.
“During these fraudulent interviews, developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub,” said security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov. “The software contained a malicious Node JS payload that, when executed, compromised the developer’s system.”
Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster called Contagious Interview in which threat actors pose as employers to trick developers of software to install malware like BeaverTail and InvisibleFerret through the interview process.
Then in early February, software supply chain security firm Phylum discovered a series of malicious packages in the npm registry that deployed the same malware families to steal sensitive information from compromised developers’ systems.
It’s worth noting that Contagious Interview is said to be different from Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker News that the former is “focused on targeting developers, primarily through identities false in freelance job portals, and the next steps involve the use of development tools and npm packages which lead to […] Beavertail and Invisible Ferret.”
Operation Dream Job, linked to North Korea’s prolific Lazarus Group, is a long-running offensive campaign that sends malicious files disguised as offers to unsuspecting professionals employed in various industries such as aerospace, cryptocurrency, defense and other industries working to distribute malware.
First discovered by Israeli cybersecurity firm ClearSky in early 2020, it also shows overlap with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.
The attack chain described by Securonix begins with a ZIP archive hosted on GitHub that is likely sent to the target as part of the interview. Inside the file is a seemingly innocuous npm module that hosts a malicious JavaScript file codenamed BeaverTail that acts as an information stealer and loader for a Python backdoor called InvisibleFerret that is fetched from a remote server.
The system, in addition to collecting information about the system, is able to execute commands, enumerate and extract files and record notes and keystrokes.
This development is a sign that North Korean threat actors continue to refine an array of weapons for their cyberattack arsenal, constantly upgrading their trade prowess with improved capabilities to hide their actions and camouflage themselves in host systems and networks, to don’t talk about stealing data and turning compromises into financial gains.
“When dealing with attacks that originate through social engineering, it is critical to maintain a security-focused mindset, especially during intense and stressful situations such as job interviews,” Securonix researchers said.
“Attackers behind DEV#POPPER campaigns abuse this, knowing that the person on the other end is highly distracted and in a much more vulnerable state.”