Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

May 1, 2024, 11:06 p.m.

Description

This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT disguised as benign software. The report meticulously dissects the attack chain, uncovering its stages, from a malicious NPM package to command execution, payload download, and the RAT's capabilities, including system information gathering, remote command execution, data exfiltration, and keystroke logging.

External References

https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors
https://otx.alienvault.com/pulse/662fe9254594bca799ff2bd5
Tags
rat
social engineering
python
developers
python-based rat
dev#popper

Date

  • Created: April 29, 2024, 6:38 p.m.
  • Published: April 29, 2024, 6:38 p.m.
  • Modified: May 1, 2024, 11:06 p.m.

Indicators

  • f9ca12321fb91157cce8513e935810d1c2005ab0739322b474f0cb4af2605d16
  • 977a9024962102b02128d391c0543c63328d3f26701eca1a5d282af4d493dc2e
  • 45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e
  • 33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2
  • 173.211.106.101
  • 147.124.214.131
  • http://147.124.214.131
Download all indicators here!

Attack Patterns

  • DEV#POPPER
  • North Korean threat actors
  • T1059.006
  • T1059.003
  • T1059.001
  • T1070.004
  • T1082
  • T1132
  • T1033
  • T1560
  • T1041