North Korean-linked threat actors have expanded their malware campaign to target software developers across multiple platforms, including Windows, Linux, and macOS. The campaign, identified as DEV#POPPER, involves sophisticated social engineering techniques designed to deceive developers into downloading malicious software. This software is disguised as legitimate coding assignments and job interview tasks, hosted on platforms like GitHub. Researchers from Securonix and Palo Alto Networks have found that the malware, known as BeaverTail, is capable of operating across different operating systems and has evolved to include enhanced features for data exfiltration and system compromise.
The attack chain involves tricking victims into downloading a ZIP archive that contains a booby-trapped npm module. When installed, this module runs an obfuscated JavaScript payload that identifies the operating system and establishes a connection with a remote server to exfiltrate sensitive information. The malware can also download additional payloads, such as the Python-based backdoor InvisibleFerret. This backdoor gathers detailed system metadata, captures web browser cookies, logs keystrokes, and facilitates file uploads and downloads.
Recent updates to the malware have introduced advanced obfuscation techniques and the use of AnyDesk remote monitoring software to maintain persistence on compromised systems. Additionally, the malware now incorporates an improved FTP mechanism for data exfiltration and can steal sensitive information from popular web browsers like Google Chrome, Opera, and Brave. These enhancements indicate a significant upgrade in the malware’s capabilities, making it more effective at bypassing security measures and exfiltrating valuable data.
The findings underscore North Korea’s persistent use of advanced cyber tactics despite international sanctions. Researchers note that North Korean actors continue to access foreign technology and social media platforms, leveraging VPNs and proxies to circumvent censorship and surveillance. This evolving threat landscape highlights the need for heightened cybersecurity awareness and robust defenses to counteract sophisticated attacks from state-sponsored actors.
Reference:
