Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

May 1, 2024, 11:06 p.m.

Description

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT disguised as benign software. The report meticulously dissects the attack chain, uncovering its stages, from a malicious NPM package to command execution, payload download, and the RAT's capabilities, including system information gathering, remote command execution, data exfiltration, and keystroke logging.

Date

Published: April 29, 2024, 6:38 p.m.

Created: April 29, 2024, 6:38 p.m.

Modified: May 1, 2024, 11:06 p.m.

Indicators

f9ca12321fb91157cce8513e935810d1c2005ab0739322b474f0cb4af2605d16

977a9024962102b02128d391c0543c63328d3f26701eca1a5d282af4d493dc2e

45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e

33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2

173.211.106.101

147.124.214.131

http://147.124.214.131

Attack Patterns

DEV#POPPER

North Korean threat actors

T1059.006

T1059.003

T1059.001

T1070.004

T1082

T1132

T1033

T1560

T1041