CyberWire Daily - Pop goes the developer. [Research Saturday]
Episode Date: August 31, 2024Tim Peck, a Senior Threat Researcher at Securonix, is discussing their work on "Threat actors behind the DEV#POPPER campaign have retooled and are continuing to target software developers via social e...ngineering." The DEV#POPPER campaign continues to evolve, now targeting developers with malware capable of operating on Linux, Windows, and macOS systems. The threat actors, believed to be North Korean, employ sophisticated social engineering tactics, such as fake job interviews, to deliver stealthy malware that gathers sensitive information, including browser credentials and system data. The research can be found here: Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
It looks like the threat actors put their lure out.
You know, we're looking for some dev, you know, perhaps some financial incentive,
you know, listed in the job offer.
You know, in that case, they would kind of go back and forth
with the potential interviewee or victim at this point
and then establish a relationship and then conduct the interview.
The whole thing behind this is that this isn't unusual.
Everything that they're doing is pretty in line with a typical,
I guess you could call practical interview.
practical interview. That's Tim Peck, Senior Threat Researcher at Securonix.
The research we're discussing today is titled, Threat Actors Behind the Dev Popper Campaign
Have Retooled and Are Continuing to Target Software Developers Via Social Engineering.
So this campaign has been going on for a while.
This is something that our team has been tracking since the beginning of the year.
So a part of our day-to-day is basically examining attack data from our various data sources
for the sake of building detections. And part of the course of our investigations, we came across this novel or interesting sample that we were able to analyze and observe.
And it's a really interesting attack campaign because it plays on the human element, you know, as opposed to, you know, a traditional attack that you might see that might involve exploitation or phishing
emails, you know. The idea is for the threat actors to host malicious job interviews in the
hopes to appear legitimate. And what the end goal is to get the victim or the interviewee in this
case to unknowingly detonate malware on their machine, which the end goal would give the attackers
full control over the machine. I see. Well, so let's go through some of the sort of who,
what, where, when, and why. Do we have a notion of who's behind this?
Yeah. In fact, in our original publication, we associated this to North Korea, and this was
due to several telemetry sources that we were able to observe. Some I have to be careful with how I speak because they're proprietary. It also relates very closely to Contagious Interview, a Palo Alto campaign. The benefit is our research kind of complements each other because it seems like this is something that they've been investigating for a while along with our team. And it complements each other because our samples are different. However, some of the TTPs and the malware involved was very, very similar. Yeah, it turns out we both
came to the conclusion North Korea threat actors were behind these interviews. And that was, yeah,
like I said, based on quite a few different factors, including some of the language used in
the lure documents, passwords, and geo telemetry data that we were able to observe.
I see. Who in particular, if anybody, are they targeting here?
You know, it kind of seems all over. You know, during our original publication,
the telemetry pointed mostly to South Korea, when kind of spread around various other countries as well. And during our last update,
we observed, we identified samples
originating from Germany, South Korea,
the United States, Pakistan, France.
It was kind of all over.
So there wasn't like a single target in mind,
aside from the obvious group of people,
which would be developers in this case.
Well, let's walk through it together here. Can you take me through if,
how would someone find themselves in the sites of this DevPopper campaign?
It looks like they're mostly targeting kind of smaller job boards. You know,
we didn't see a lot of activity, you know, from larger entities like LinkedIn or Indeed. And so, it looks like the
threat actors put their lure out, you know, we're looking for some dev, you know, perhaps some
financial incentive, you know, listed in the job offer. You know, in that case, they would kind of
go back and forth with the potential interviewee or victim at this point, and then establish a
relationship and then conduct the interview. And it's at this point where it gets really interesting. The threat actors, and the
whole thing behind this is that this isn't unusual. You know, everything that they're doing is pretty
in line with a typical, I guess you could call practical interview. So during the course of the
interview, the threat actors would provide a link to a GitHub repository, which was a basic zip file.
The interviewee would be instructed to extract, analyze,
and then execute this zip file's contents.
What's interesting is it does appear legit,
a legitimate Node.js package.
It's not unless you look really, really close
at one of the JavaScript files.
And this is highlighted in our advisory.
In fact, I think we posted a GIF of this.
And it's actually really interesting.
I encourage you to look at it
because you can pull open this malicious file
in a text editor and at a high level,
you don't see anything wrong with it.
It's not until you scroll way over to the right,
there's a single, very long one-liner that contains the malicious code. Highly, highly
obfuscated JavaScript. It was really good at getting around AV detections, had very few hits.
And once that executes, it kicks off a few other stages of malware that embed itself into your
system to allow the attacker for full command and control.
Can we go through some of that sort of thing?
I mean, once they get hold here, what happens next?
Sure.
Basically, this highly obfuscated command is,
essentially, it does a few things.
The first thing it does is it executes a system curl command
to download a Python file.
It also downloads the entire Python library in a zip file format.
And that gets all extracted into the user's local file, C user's username.
The Python code that gets extracted and executed, it ends in an NPL file.
However, that extension isn't correct it's actually a python file and basically that
is a really really complex piece of malware it does a few interesting things for one it allows
like i mentioned for full command and control this establishes a connection back to the
attacker's infrastructure and allows them to perform several tasks one of which is run system
commands it allows for exfiltration.
It allows for file and directory browsing. It also performs some interesting other side functions that include like screen cap and clipboard monitoring as well, as well as some
automated theft. I believe browsers were heavily targeted, scraping out cookies, session data,
that type of thing. So yeah, in a nutshell, that's kind of the entire attack chain.
And at that point, you know,
whether the attackers find what they're looking for at that stage,
they can pull the plug.
But all this would be going on during the course of an interview.
So, you know, kind of all this behind the scenes.
So I'd imagine they'd probably have a team of people,
some conducting the interview,
some snooping around inside of the interviewee or victim's computer.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
Like right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In the process of this, you're in the midst of the interview they they ask you to download this file
nothing seems amiss and even for someone who was let's say technically proficient at first glance
there's nothing that would throw up a lot of red flags at looking at these files that they're asking you to use.
Exactly. And you put yourself in the interviewee's situation. You're stressed out,
you're trying to impress your interviewers, right? Because you want the job. You'll kind
of go along with whatever they ask. And so there's some inherent trust or lack of OPSEC, I guess you could say,
at that point, because you're trying to, you know, essentially get a job, get work. And so,
and it's also not unusual to examine or execute code from a dev standpoint. So there's not really
anything out of the ordinary that these attackers are asking this individual to do.
And so it plays on a lot of human emotion and element at that point, because, you know, I try to put myself in my situation and then into that situation and, you know, ask myself, you know, man, would I have executed this, you know, without properly vetting it?
Because it would be really, really easy to miss.
without properly vetting it.
Because it would be really, really easy to miss.
I mean, you'd look at the contents of that original zip file,
and it's just, you know, several directories of files,
you know, all these Node.js stuff.
And I believe in DevPopper,
that malicious code was stuffed inside some type of arbitrary,
like, server connection profile code.
So it's, you know, it's possible that that file may have been completely missed,
not even examined by the person executing it.
I guess one of the things that struck me here
as interesting, if not odd,
is that these folks are targeting,
presumably, information from a business computer, right?
How many people are doing job interviews on the computer of their current employer?
I guess enough.
You know, that's so true.
I guess that's the hope, you know, that would be the end goal.
And, you know, you just think of the danger there.
You know, if they're able to get into those systems and they do have full command and control, you know, at that point, they're able to, you know, behind the scenes, elevate their privileges, possible move laterally.
You know, you got to ask yourself, what does this user have access to?
And, you know, as a dev, they probably have access to a lot of other internal systems.
All the internal resources,
you know, what sites are they logged into?
You know, since we know
that they're targeting browsers
and session data,
you know, at that point,
the threat actors have active cookies
and session tokens
for currently logged in websites.
And those could be
internal GitHub projects.
That could be very sensitive information
from a company standpoint.
So that aspect, that risk would be considered very, very high from a business standpoint.
And the tools here are cross-platform?
Yes. No, that's correct.
Yeah, we observed, if you take a look at the Python code, it breaks down and the code basically pivots based on detected OS.
And so we observed support for this malware on Windows, Mac OS, and Linux.
I see.
And you all have been tracking some updates and enhanced functionality of this tool along the way here.
Are there any particular new elements
that you want to mention?
Yeah, so some of the code changes
that we observed were
networking session creation.
So it doesn't matter how many times
the code executes,
the attackers are able to
live in multiple sessions.
And that could be a way to circumvent
potential connection issues
or as a potential
second backdoor. A file system interaction was a bit more robust. For instance, scraping for
certain doc types and directories. Say the attackers are interested in doc or docx files.
They're able to quickly scan and parse within a set of directories or subdirectories.
So it allowed for a lot more efficiency.
The code was a bit more cleaned up, I guess you could say.
The keyboard and keystroke logging code was a bit more robust as well.
And the general obfuscation, the code was a bit more hidden and a bit more difficult to analyze because of that.
So there were some counter-analysis techniques that we saw in the newer update and research update than we
did previously. Yeah, that's interesting. And again, you're coming back to the whole social
engineering aspect of it. I can imagine also, let's say you're a developer and you fall victim to this, again, you're job hunting on a work computer.
You're not going to go running to your boss to say,
hey, I made a mistake here, right?
Or at least you could see that that process
could be slowed down while someone tried to figure out
how on earth they were going to handle this.
Yeah, exactly.
And I mean, you know, it's possible that the attackers might, you know,
potentially lengthen the review to distract the interviewee at that point,
just to allow for more time into the system without raising suspicion.
And, you know, if the interview is, you know,
say a standard interview length at about an hour, you know,
the attackers have been poking around in that system for an hour,
you know, deeply rooting themselves at that point and potentially lateral movement
phases already started. Right. So what are your recommendations here for folks to best protect
themselves? You know, along those lines, definitely do not conduct interviews on work machines for other companies. That should be number one. Number two,
it's difficult. But, you know, I would suggest try to have a cybersecurity first mindset,
right? Interviews are stressful. And I get that, you know, I've been in that place many times,
I think we all have. But it's critical, whether you're opening that email
or you're conducting that interview,
if anything seems off,
your interviewer seems really eager
to get you to execute something
from a strange GitHub repository
that doesn't have a lot of history,
you know, perhaps like these red flags
should add up and, you know,
question your interviewer.
And, you know, it's possible
that if this is a legit interview, you know, question your interviewer. And, you know, it's possible that if this is a
legit interview, you know, your interviewer might be impressed with your level of OPSEC,
just not executing random code on your machine. But in the case of this, you know, if you want
to be super safe, you know, use VMs. You know, there's nothing wrong with that. You know,
build out a Windows sandbox or something to run code on, and then you don't have any risk of any personal
or corporate information being stolen or retrieved in any way.
Yeah. How do you rate the sophistication of this effort here?
It's incredibly sophisticated.
I mean, when you think about the personnel involved,
you need people who are confident
and can conduct themselves as an interview
and present themselves as a legitimate entity.
And so not only that,
but the sophistication of the malware,
the Python code was really interesting.
The level of obfuscation,
it didn't appear to be like ran through
some type of online obfuscator.
It was
really well thought out and methodical. So I'd rate the sophistication very high. It definitely
had backings of nation state, which, you know, when it comes from Korea, I think probably a
good percentage of the threats coming from Korea would be nation state backed North Korea.
North Korea.
Our thanks to Tim Peck from Securonics for joining us.
The research is titled, Threat Actors Behind the Dev Popper Campaign Have Retooled and Are Continuing to Target Software Developers Via Social Engineering.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn morewire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.