Fake job interviews target developers with new Python backdoor

A new campaign tracked as “Dev Popper” is targeting software developers with fake job interviews in an attempt to trick them into installing a Python remote access trojan (RAT).

The developers are asked to perform tasks supposedly related to the interview, like downloading and running code from GitHub, in an effort to make the entire process appear legitimate.

However, the threat actor's goal is make their targets download malicious software that gathers system information and enables remote access to the host.

According to Securonix analysts, the campaign is likely orchestrated by North Korean threat actors based on the observed tactics. The connections are not strong enough for attribution, though.

Multi-stage infection chain

“Dev Popper” attacks involve a multi-stage infection chain based on social engineering, designed to deceive targets through a process of progressive compromise.

The attackers initiate contact by posing as employers that offer looking to fill software developer positions. During the interview, the candidates are asked to download and run what is presented as a standard coding task from a GitHub repository.

The file is a ZIP archive containing an NPM package, which has a README.md as well as frontend and backend directories.

Once the developer runs the NPM package, an obfuscated JavaScript file (“imageDetails.js”) hidden inside the backend directory is activated, executing ‘curl’ commands through the Node.js process to download an additional archive (“p.zi”) from an external server.

Obfuscated JavaScript
Obfuscated JavaScript
Securonix

Inside the archive is the next stage payload, an obfuscated Python script (“npl”) that functions as a RAT.

Python file contents
Python file contents
Securonix

Once the RAT is active on the victim’s system, it collects and sends basic system information to the command and control (C2) server, including OS type, hostname, and network data.

Securonix reports that the RAT supports the following capabilities:

  • Persistent connections for ongoing control.
  • File system commands to search for and steal specific files or data.
  • Remote command execution capabilities for additional exploits or malware deployment.
  • Direct FTP data exfiltration from high-interest folders such as ‘Documents’ and ‘Downloads.’
  • Clipboard and keystroke logging to monitor user activity and possibly capture credentials.

Although the perpetrators of the Dev Popper attack aren’t known, the tactic of using job lures as bait to infect people with malware is still prevalent, so people should remain vigilant of the risks.

The researchers note that the method "exploits the developer’s professional engagement and trust in the job application process, where refusal to perform the interviewer’s actions could compromise the job opportunity," which makes it very effective.

North Korean hackers have been using the "fake job offer" tactic for multiple operations over the years to compromise their targets over various platforms.

There have been numerous reports [1, 2, 3, 4, 5] last year about North Korean hacking groups using fake job opportunities to connect to and compromise security researchers, media organizations, software developers (especially for DeFi platforms), or employees of aerospace companies.

In a spear-phishing attack, the threat actor impersonated journalists to collect intelligence from think tanks, research hubs, and academic organizations.

Related Articles:

Warmcookie Windows backdoor pushed via fake job offers

Hackers phish finance orgs using trojanized Minesweeper clone

Hackers attack HFS servers to drop malware and Monero miners

Infostealer malware logs used to identify child abuse website members

Cisco warns of NX-OS zero-day exploited to deploy custom malware