North Korea Targets Developers with The DEV#POPPER Campaign Again
- North Korea-based DEV#POPPER campaign is back - it's tricking software developers with fake interviews.
- This time around, the threat actors are casting a wider net. Along with South Korea, developers from Europe, North America, and the Middle East are also being targeted.
- A Linux and macOS variant of the malware has also been added over the Windows variant.
The infamous North Korea-based DEV#POPPER campaign that targets innocent developers around the world with fake job interviews is back once again and this time with an update.
This discovery was made by the Securonix Threat Research team who found during an analysis that the threat actors have added Linux and macOS variants (in addition to Windows) to the malware which means a much wider group of developers are now at risk.
Also, this malware campaign was previously limited to South Korea alone. But this time around, it's targeting users from Europe, North America, and even the Middle East.
About the AttackHere's how the attack works:
- The attack technique involves reaching out to developers with a fake job interview.
- Once they believe the offer, the victim is sent a .ZIP file that appears to be an npm package. Apparently, it's to test the applicant's coding skills.
- Now, in job interviews like these, it's not uncommon to ask the interviewee to run a few codes. Hence, it raises no suspicion.
- Now, when the interviewee executes the code, a hidden line of JavaScript runs and starts a chain of infection.
- It then detects the type of OS the device is using to choose the right execution flow and then collects information about the device and its files.
Now the question is why are software developers being specifically targeted? That's because software developers are one of the most valuable assets of a country.
Their devices often store confidential data, source codes, access tokens, and other elements that can be used to access the infrastructure of a company. If the company is large enough, a huge chunk of the population can be impacted at once.For example, last November, North Korea's primary cyberespionage and sabotage arm, the Lazarus Group, attacked a Taiwanese software company called CyberLink and infected an installer for its commercial apps.
These attacks can also be financially motivated. As per senior threat researcher Tim Peck, based on the type of malware that has been used, extortion could also be one of the causes.
Just last December, the North Korean hacker group APT37 group exploited a zero-day vulnerability in Internet Explorer to launch a cyberattack on South Korea.
How to Protect Yourself Against These Attacks?Even having an antivirus on your system won't save you. Too many obfuscation techniques such as Base64 encoding, dynamic function and variable names, concatenation and split strings, and prototyping obfuscation have been used that make detection next to impossible.
What makes detection even harder is that the .ZIP folder that's sent to the victims actually contains some legitimate files.So the only thing that you can do is spread awareness and take some precautions. For example, if you are going for an interview, don't do it from your company device.
Do your research on the company and job position and if anything seems out of the ordinary, take a step back. It's not just for your company's safety but also for your own. If your office device has any personal details, you are equally at risk.
The post North Korea Targets Developers with The DEV#POPPER Campaign Again appeared first on The Tech Report.