Think twice before completing a test task for the job you like.
Researchers have discovered a hacking campaign called Dev Popper aimed at software developers. Attackers disguise themselves as employers and send out fictitious vacancies for IT specialists. Their real goal is to introduce a dangerous remote Access Trojan (RAT) in Python on the computers of victims. In the process of an imaginary interview, applicants are asked to perform a "test task" - download and run the code from the repository on GitHub.
The attack is implemented in several stages using social engineering techniques to gradually break into the system. To get started, you can download a ZIP archive containing an auxiliary NPM package with the file README.md and separate folders for client and server code.
Then the masked imageDetails JavaScript file is activated.js in the backend directory. Via Node.js it executes curl commands to upload an additional encrypted archive p.zi from an external server.
Inside the p archive.zi is the main component of the attack - an obfuscated Python script npl, that is, the Trojan itself. Once the RAT is on the infected machine, it collects basic information: the type of operating system, hostname, and network data that is then sent to the attackers server.
In addition to collecting data, the Trojan has the widest functionality:
According to Securonix analysts, the tactics of the Dev Popper campaign are most likely used by hacker groups from North Korea, known for using social engineering techniques. However, there are not enough grounds to directly blame the DPRK authorities for the attacks.
Experts emphasize that attackers skillfully exploit the trust of IT specialists in the employment process. The unwillingness to miss out on a potential vacancy due to non-compliance with the instructions of the imaginary employer makes the attack extremely effective.
Researchers have discovered a hacking campaign called Dev Popper aimed at software developers. Attackers disguise themselves as employers and send out fictitious vacancies for IT specialists. Their real goal is to introduce a dangerous remote Access Trojan (RAT) in Python on the computers of victims. In the process of an imaginary interview, applicants are asked to perform a "test task" - download and run the code from the repository on GitHub.
The attack is implemented in several stages using social engineering techniques to gradually break into the system. To get started, you can download a ZIP archive containing an auxiliary NPM package with the file README.md and separate folders for client and server code.
Then the masked imageDetails JavaScript file is activated.js in the backend directory. Via Node.js it executes curl commands to upload an additional encrypted archive p.zi from an external server.
Inside the p archive.zi is the main component of the attack - an obfuscated Python script npl, that is, the Trojan itself. Once the RAT is on the infected machine, it collects basic information: the type of operating system, hostname, and network data that is then sent to the attackers server.
In addition to collecting data, the Trojan has the widest functionality:
- Support for a stable communication channel for remote management of a compromised system
- Commands for detecting and stealing files of interest from the file system
- Ability to run malicious code remotely
- Direct transfer of data from the victim via FTP from critical folders such as Documents and Downloads
- Intercept keystrokes and clipboard data to steal credentials
According to Securonix analysts, the tactics of the Dev Popper campaign are most likely used by hacker groups from North Korea, known for using social engineering techniques. However, there are not enough grounds to directly blame the DPRK authorities for the attacks.
Experts emphasize that attackers skillfully exploit the trust of IT specialists in the employment process. The unwillingness to miss out on a potential vacancy due to non-compliance with the instructions of the imaginary employer makes the attack extremely effective.
