Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
May 1, 2024, 11:06 p.m.
Description
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT disguised as benign software. The report meticulously dissects the attack chain, uncovering its stages, from a malicious NPM package to command execution, payload download, and the RAT's capabilities, including system information gathering, remote command execution, data exfiltration, and keystroke logging.
Date
| Published | Created | Modified |
|---|---|---|
| April 29, 2024, 6:38 p.m. | April 29, 2024, 6:38 p.m. | May 1, 2024, 11:06 p.m. |
Indicators
f9ca12321fb91157cce8513e935810d1c2005ab0739322b474f0cb4af2605d16
977a9024962102b02128d391c0543c63328d3f26701eca1a5d282af4d493dc2e
45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e
33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2
173.211.106.101
147.124.214.131
http://147.124.214.131
Attack Patterns
DEV#POPPER
North Korean threat actors
T1059.006
T1059.003
T1059.001
T1070.004
T1082
T1132
T1033
T1560
T1041