Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
Aug. 1, 2024, 11:31 a.m.
Description
The intelligence report discusses an ongoing malware campaign that targets software developers through social engineering tactics like fake job interviews. The threat actors behind this campaign have upgraded their tools, now supporting multiple operating systems (Windows, Linux, and macOS) and employing more robust capabilities. The malware leverages Python scripts to establish persistent connections, execute remote commands, exfiltrate data via FTP, log keystrokes and clipboard contents, and deploy additional payloads. New functionalities include enhanced obfuscation, extended FTP capabilities, multi-OS support, and post-exploitation scripts for browser credential theft. The report provides analysis of the malware's tactics, techniques, and procedures (TTPs), along with recommendations for prevention and detection.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 1, 2024, 11:01 a.m. | Aug. 1, 2024, 11:01 a.m. | Aug. 1, 2024, 11:31 a.m. |
Indicators
eff2a9fca46425063dca080466427353dc52ac225d9df7c1ef0ec8ba49109b71
bc4a082e2b999d18ef2d7de1948b2bfd9758072f5945e08798f47827686621f2
63238b8d083553a8341bf6599d3d601fbf06708792642ad513b5e03d5e770e9b
b31f5bde1bdbc2dfd453b91bab2e9be0becec555ee6edd70744c77f2ad15d18c
6263b94884726751bf4de6f1a4dc309fb19f29b53cce0d5ec521a6c0f5119264
2d10b48454537a8977affde99f6edcbb7cd6016d3683f9c28a4ec01b127f64d8
0639d8eaad9df842d6f358831b0d4c654ec4d9ebec037ab5defa240060956925
77.37.37.81
67.203.7.171
67.203.123.171
http://de.ztec.store:8000
http://de.ztec.store:8000/www/run.xn--py-02t
http://67.203.7.171:1244/keys
Attack Patterns
DEV#POPPER
T1059.006
T1059.003
T1059.001
T1070.004
T1082
T1132
T1033
T1560
T1041