Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

Securonix Threat Research Security Advisory – Fast Track/Early-Warning Coverage Advisory (FCA)

Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

By Securonix Threat Research: D.Iuzvyk, T. Peck, O.Kolesnikov

Apr 24, 2024

tldr:

The Securonix Threat Research Team has been monitoring a new ongoing social engineering attack campaign (tracked by STR as DEV#POPPER) likely associated with North Korean threat actors who are targeting developers using fake interviews to deliver a Python-based RAT.

The Threat Research team has been investigating a new threat campaign (tracked by STR as DEV#POPPER) that’s been targeting software developers. STR has been able to identify malicious software repositories used by attackers as part of the attack campaign, which we’ll delve deeper into to get a better understanding as to how the malicious threat actors infect systems and their capabilities.

Introduction

Social engineering is an advanced tactic used by threat actors to manipulate individuals into divulging confidential information or performing actions that they might normally not. The attacker’s goal is to trick the user into unknowingly compromising themselves or place of employment. Unlike traditional hacking methods which rely on exploitation, social engineering targets human vulnerabilities by exploiting psychological manipulation. This method plays on basic human traits such as trust, fear or the desire to simply be helpful.

In the case of the DEV#POPPER attack campaign we’ve been observing, an interesting form of social engineering was noted which involves the targeting of specific professional groups such as software developers. This technique, while not extremely prevalent at the moment, is still ongoing and has been reported a number of times in the past by North Korean threat actors.

In summary, an example of this is where attackers set up fake job interviews for developers, pretending to be legitimate job interviewers. During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub. The software contained a malicious Node JS payload that, once executed, compromised the developer’s system.

This method is effective because it exploits the developer’s professional engagement and trust in the job application process, where refusal to perform the interviewer’s actions could compromise the job opportunity. The attackers tailor their approach to appear as credible as possible, often by mimicking real companies and replicating actual interview processes. This guise of professionalism and legitimacy lulls the target into a false sense of security, making it easier to deploy malware without arousing suspicion.

Note – At the time of publication, the attackers GitHub repositories we analyze below have already been deleted. However, members of the cybersecurity community have picked up on other GitHub hosted samples as well.

Stage 1: Malicious NPM package

The first stage involves downloading a zip archive from GitHub which would have been sent to the interviewee from the interviewer. The zip archive contains a legitimate looking Node Package Manager (NPM) package containing a README.md, and Frontend and Backend directories.

Buried in the Backend directory was a single JavaScript file which on the surface appears to be a simple code snippet using Mongoose, which is a Node.js package that provides MongoDB object modeling in an asynchronous environment. 

Figure 1: imageDetails.js – unusually long scroll bar

However, closer examination reveals a huge line of highly obfuscated code when scrolling way over to the right. An example of how large this is can be seen by looking at the scrollbar in the figure above. The gif in  the figure below also demonstrates this as you can see the obfuscated code past a large comment block on the right.

Figure 2: Video highlighting the malicious JavaScript code out of view

Removing the JavaScript code from imageDetails.js and placing it into its own file allows us to analyze it a bit easier. The  is obfuscated using several layers of obfuscation including base64 and variable substitutions.

Figure 3: Extracted obfuscated JavaScript  code from imageDetails.js.

Stage 2: Command execution and payload download

When the victim eventually executes the malicious NPM package, the malicious JavaScript code in Stage 1 is executed through the NodeJS process (node.exe). The purpose of the malicious script in Stage 1 is simply to download and extract an archive file, extract it and then execute the next stage.

Through the node.exe process we observed the following commands:

Stage 3: Python code execution – .npl

The “.npl” file is technically a Python file, without an extension and uses a starting dot “.” to indicate to the operating system that it is a hidden file. This may or may not be hidden from view to the user depending on their operating system settings.

The file contains a large base64 payload and uses a combination of string manipulation and decoding to execute the Python code hidden inside of it. Base64 encoding and XOR logic are used for the content behind the hidden string. This is then executed as Python code using exec().

Figure 4: Python execution .npl file contents

The decoded result contains several key variables such as its current path and a hard-coded C2 server:  hxxp://147.124.214[.]131:1244. The Python script then calls and executes another Python script which is located at C:\Users\Redacted\.n2/pay.

Stage 3: Python code execution – pay

The “pay” script is also an extensionless file similar to the first Python script we analyzed. This next script contains similar payload execution tactics where a Base64 string is decoded in the same fashion, however two unique strings are executed. Each of these can be seen in the figure below.

Figure 5: res – Python file contents

The first decoded code string executes and gathers system and network information from an infected computer and then sends this data to a remote server which includes the following:

• Operating system type
• Hostname
• OS release version
• OS version
• Username of the logged-in user
• A unique identifier for the device (uuid) generated by hashing the MAC address and username

This information is gathered and then transmitted in a JSON-like format back to the attacker’s C2 server by issuing a carefully crafted HTTP POST request.

The second decoded and executed string is much longer than the first and contains quite a bit more functionality. Once executed, the script functions similarly to a RAT (Remote Access Trojan), allowing the attacker to interact with the victim’s machine remotely. After analyzing the decoded portion of the script, we observed the following capabilities:

• Networking and session creation: Used for persistent connections: This establishes persistent TCP connections including structuring and sending JSON formatted data.
• File system interaction: Contains functions to traverse directories and filter files based on specific extensions and directories to exclude. It can also locate and potentially exfiltrate files that do not match certain criteria (like file size and extension).
• Remote command execution: The script contains several functions which allow for the execution of system shell commands and scripts.. This includes browsing the filesystem and executing shell commands.
• Data Handling and transmission: Functionality for encoding data over an established TCP connection. It handles data reception, decoding different character encodings and manages transmission errors and timeouts.
• Exfiltration and uploading: For exfiltration,the Python script is able to send files to a remote FTP server with the ability to filter in or out files based on its extension. Other functions exist to help automate this process by collecting data from various user directories like Documents and Downloads.
• Clipboard and keystroke logging: The script includes capabilities to monitor and exfiltrate clipboard contents and keystrokes.

Securonix recommendations

When it comes to attacks which originate through social engineering, it’s critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews. The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state.  When it comes to prevention and detection, the Securonix Threat Research team recommends:

• Raise awareness to the fact that people are targets of social engineering attacks just as technology is exploitation. Remaining extra vigilant and security continuous, even during high-stress situations is critical to preventing the issue altogether.
• In case of code execution, monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories found in the user’s %APPDATA% directory.
• Monitor for the usage of non-default scripting languages such as Python on endpoints and servers which should normally not execute it. To assist in this, leverage additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.
• Securonix customers can scan endpoints using the Securonix hunting queries below.

MITRE ATT&CK Matrix

Relevant provisional Securonix detections

• EDR-ALL-930-RU
• EDR-ALL-1246-RU
• NGF-ALL-833-ER

Relevant hunting queries

(remove square brackets “[ ]” for IP addresses or URLs)

• index = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “147.124.214[.]131” OR destinationaddress = “173.211.106[.]101”)
• index = activity AND rg_functionality = “Next Generation Firewall” AND  (destinationaddress = “147.124.214[.]131” OR destinationaddress = “173.211.106[.]101”)
• index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network connection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND destinationport=”1244″)
• index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND destinationprocessname ENDS WITH “python.exe” AND (destinationprocessname ENDS WITH “cmd.exe” OR destinationprocessname ENDS WITH “powershell.exe”)
  (change the first destinationprocessname to sourceprocessname)

C2 and infrastructure

Analyzed files/hashes

References:

1. Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors
   https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/