Today > | 3 Medium vulnerabilities   -   You can now download lists of IOCs here!

Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering

Aug. 1, 2024, 11:31 a.m.

Description

The intelligence report discusses an ongoing malware campaign that targets software developers through social engineering tactics like fake job interviews. The threat actors behind this campaign have upgraded their tools, now supporting multiple operating systems (Windows, Linux, and macOS) and employing more robust capabilities. The malware leverages Python scripts to establish persistent connections, execute remote commands, exfiltrate data via FTP, log keystrokes and clipboard contents, and deploy additional payloads. New functionalities include enhanced obfuscation, extended FTP capabilities, multi-OS support, and post-exploitation scripts for browser credential theft. The report provides analysis of the malware's tactics, techniques, and procedures (TTPs), along with recommendations for prevention and detection.

Date

Published: Aug. 1, 2024, 11:01 a.m.

Created: Aug. 1, 2024, 11:01 a.m.

Modified: Aug. 1, 2024, 11:31 a.m.

Indicators

eff2a9fca46425063dca080466427353dc52ac225d9df7c1ef0ec8ba49109b71

bc4a082e2b999d18ef2d7de1948b2bfd9758072f5945e08798f47827686621f2

63238b8d083553a8341bf6599d3d601fbf06708792642ad513b5e03d5e770e9b

b31f5bde1bdbc2dfd453b91bab2e9be0becec555ee6edd70744c77f2ad15d18c

6263b94884726751bf4de6f1a4dc309fb19f29b53cce0d5ec521a6c0f5119264

2d10b48454537a8977affde99f6edcbb7cd6016d3683f9c28a4ec01b127f64d8

0639d8eaad9df842d6f358831b0d4c654ec4d9ebec037ab5defa240060956925

77.37.37.81

67.203.7.171

67.203.123.171

http://de.ztec.store:8000

http://de.ztec.store:8000/www/run.xn--py-02t

http://67.203.7.171:1244/keys

de.ztec.store

Attack Patterns

DEV#POPPER

T1059.006

T1059.003

T1059.001

T1070.004

T1082

T1132

T1033

T1560

T1041