North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

Summary:
The ongoing malware campaign targeting software developers has expanded its focus to Windows, Linux, and macOS systems. Known as DEV#POPPER and linked to North Korea, the campaign targets victims in South Korea, North America, Europe, and the Middle East. According to a report from Securonix researchers Den Iuzvyk and Tim Peck, this sophisticated social engineering attack manipulates individuals into divulging confidential information or performing actions they wouldn't normally take.


Recent updates to the malware include enhanced obfuscation, the use of AnyDesk for persistence, and improvements to the FTP data exfiltration mechanism. Additionally, the Python script can run an auxiliary script to steal sensitive information from web browsers like Google Chrome, Opera, and Brave across various operating systems.


Security Officer Comments:
DEV#POPPER, which overlaps with Palo Alto Networks Unit 42's Contagious Interview campaign, tricks software developers into downloading malicious software from GitHub, disguised as a job interview coding assignment. The malware, called BeaverTail, identifies the operating system and establishes contact with a remote server to exfiltrate data and download further payloads, including a Python backdoor named InvisibleFerret. This backdoor collects system metadata, accesses browser cookies, executes commands, uploads/downloads files, and logs keystrokes and clipboard content.


Suggested Corrections:

When it comes to prevention and detection, the Securonix Threat Research team recommends:
  • If you have to execute code from potentially untrusted sources, leverage virtual machines or Windows Sandbox, to isolate your machine from infection.
  • Raise awareness to the fact that people are targets of social engineering attacks just as technology is exploitation. Remaining extra vigilant and security continuous, even during high-stress situations is critical to preventing the issue altogether.
  • In case of code execution, monitor common malware staging directories, especially Python script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories found in the user’s %APPDATA% directory.
  • Monitor for the usage of non-default scripting languages such as Python on endpoints and servers which should normally not execute it. To assist in this, leverage additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.
Link(s):
https://thehackernews.com/2024/07/north-korea-linked-malware-targets.html