Beware DEV#POPPER: Evolving Malware Targets Developers Everywhere

by do son · August 4, 2024

macOS browser credential theftfunctions | Image: Securonix

In recent months, the world has encountered a new campaign by North Korean hackers. The DEV#POPPER campaign targets software developers and affects victims in South Korea, North America, Europe, and the Middle East, as reported by Securonix experts.

The hackers employ social engineering techniques, posing as employers and enticing developers to download malicious software from GitHub under the guise of a test assignment. This malware, an updated version of BeaverTail, operates on Windows, Linux, and macOS systems.

The campaign shares similarities with another well-known attack, Contagious Interview, which targets Windows and macOS. The updated version of BeaverTail malware employs obfuscation techniques and is distributed via a ZIP archive containing an npm module.

Upon installation, the malware identifies the operating system and connects to a remote server for data exfiltration through the npm module. Additionally, the malware can deploy an auxiliary Python backdoor, InvisibleFerret, which collects system data and cookies, executes commands, uploads, and downloads files, and records keystrokes and clipboard contents.

Recent versions of the software have improved obfuscation and utilize AnyDesk for remote monitoring and persistence, as well as an enhanced FTP mechanism for data extraction. The Python script also serves as a conduit for launching a secondary script responsible for stealing confidential information from various web browsers—Google Chrome, Opera, and Brave.

To protect oneself, it is essential to critically evaluate any offers and files related to interviews and always verify the authenticity of sources before installing software, even if it appears legitimate.