Verticals Targeted: Software Development
Executive Summary
An ongoing social engineering campaign was observed targeting software developers. The threat actors use fake interviews to deliver a Python-based RAT, known as DevPopper.
Key Takeaways
- An ongoing social engineering campaign was observed targeting software developers.
- In the campaign, the threat actors use fake interviews to deliver a Python-based RAT, known as DevPopper.
- The threat actors behind DevPopper have retooled and have evolved their TTPs in recent months.
- The newer DevPopper variant has enhanced capabilities and can target Linux, Windows, and MacOS devices.
What is DevPopper?
An ongoing social engineering campaign was observed targeting software developers. The threat actors use fake interviews to deliver a Python-based RAT, known as DevPopper. Securonix reported on this activity earlier this year and recently provided an update on DevPopper’s evolving TTPs. Victims have primarily been located in South Korea, North America, Europe, and the Middle East. According to Securonix, the campaign is likely the work of North Korean threat actors, based on a history of similar campaigns originating from North Korea.
DevPopper uses a multi-stage infection chain that relies on social engineering. The threat actors pose as employers interviewing candidates for software developer positions. During the fake interview process, the targets are asked to perform technical tasks, such as downloading and running code from GitHub. The threat actors use this to trick the developers into installing malware that can gather system information and give the threat actors remote access to the victim’s machine.
The downloaded file is a ZIP containing an NPM package that includes a README file, as well as backend and frontend directories. When the developer runs the NPM package, an obfuscated JavaScript file is run that executes ‘curl’ commands through Node.js to download another archive file from the C2. This second archive file includes the next stage payload, an obfuscated Python script that has been dubbed DevPopper RAT.
DevPopper collects information about the system, including OS type, hostname, and network data, and sends it to the C2. DevPopper’s capabilities include networking and session creation, encoding data, providing persistent connections for ongoing remote control, the ability to search the file system and steal specific files, remote command execution (RCE) to deploy additional exploits or malware, clipboard logging, and keylogging.
In a recent update, Securonix noted the threat actors behind DevPopper have retooled and have evolved their TTPs. The threat actors are now targeting Linux, Windows, and MacOS devices. They have also added additional malware variants to the campaign. The new DevPopper variant has additional capabilities, including extended FTP functionality, an enhanced capability to upload files to remote servers using encrypted transmission, support for multiple operating systems, enhanced encoding and obfuscation, directory traversal, and the ability to steal stored credentials and session cookies from multiple popular browsers.
IOCs
PolySwarm has multiple samples associated with this activity.
33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2
bc4a082e2b999d18ef2d7de1948b2bfd9758072f5945e08798f47827686621f2
63238b8d083553a8341bf6599d3d601fbf06708792642ad513b5e03d5e770e9b
2d10b48454537a8977affde99f6edcbb7cd6016d3683f9c28a4ec01b127f64d8
You can use the following CLI command to search for all DevPopper samples in our portal:
$ polyswarm link list -f DevPopper
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
