[MUSIC] >> You're listening to the Cyberwire Network powered by N2K. [MUSIC] >> Hey, everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try delete me. I have to say, delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for delete me. Now at a special discount for our listeners, today get 20% off your delete me plan when you go to joindeleteme.com/N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/N2K and enter code N2K at checkout. That's joindeleteme.com/N2K code N2K. [MUSIC] >> Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave Bitner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [MUSIC] >> It looks like the threat actors put their lure out. We're looking for some dev, perhaps some financial incentive listed in the job offer. In that case, they would kind of go back and forth with the potential interviewee or victim at this point and then establish a relationship and then conduct the interview. The whole thing behind this is that this isn't unusual. Everything that they're doing is pretty in line with a typical, I guess you could call practical interview. [MUSIC] >> That's Tim Peck, senior threat researcher at Securonics. The research we're discussing today is titled threat actors behind the dev pupper campaign have retooled and are continuing to target software developers via social engineering. So this campaign has been going on for a while. This is something that our team has been tracking since the beginning of the year. So a part of our day-to-day is basically examining attack data from our various data sources for the sake of building detections and part of the course of our investigations, we came across this novel or interesting sample that we were able to analyze and observe. And it's a really interesting attack campaign because it plays on the human element. As opposed to a traditional attack that you might see, that might involve exploitation or phishing emails. The idea is for the threat actors to host malicious job interviews in the hopes to appear legitimate. And with the end goal is to get the victim or the interviewee in this case to unknowingly detonate malware on their machine. Which the end goal would give the attackers full control over the machine. >> I see. Well, so let's go through some of the sort of who, what's, where's, when's and why's it? Do we have a notion of who's behind this? >> Yeah, in fact, in our original publication, we associated this to North Korea. And this was due to several telemetry sources that we were able to observe. Some, I have to be careful with how I speak because they're proprietary. It also relates very closely to contagious interview of Palo Alto campaign. The benefit is our research kind of compliments each other because it seems like this is something that they've been investigating for a while along with our team. And it compliments each other because our samples are different. However, some of the TTPs and the malware involved was very, very similar. Yeah, it turns out we both came to the conclusion. North Korea threat actors were behind these interviews. And that was, yeah, like I said, based on quite a few different factors, including some of the language used and the, the lower documents, passwords, and geo telemetry data that we were able to observe. >> I see. Who in particular, if anybody, are they targeting here? >> You know, it kind of seems all over. You know, during our original publication, the telemetry pointed mostly to South Korea. Went kind of spread around various other countries as well. And during our last update, you know, we observed, we identified samples originating from Germany, South Korea, the United States, Pakistan, France. You know, it was kind of all over. So there wasn't like a single target in mind, aside from the obvious group of people, which would be developers in this case. >> Well, let's walk through it together here. Can you take me through if, how would someone find themselves in the sites of this dev popper campaign? >> It looks like they're mostly targeting kind of smaller job boards. You know, we didn't see a lot of activity, you know, from larger entities like LinkedIn or Indeed. And so it looks like the, the threat actors put their lure out. You know, we're looking for some dev, you know, perhaps some financial incentive, you know, listed in the job offer. You know, in that case, they would kind of go back and forth with the potential interviewee or victim at this point and then establish a relationship and then conduct the interview. And it's at this point where it gets really interesting. The threat actors, and the whole thing behind this is that this isn't unusual. You know, everything that they're doing is pretty in line with a typical, I guess you could call practical interview. So during the course of the interview, the threat actors would provide a link to a GitHub repository, which was a basic zip file. The interviewee would be instructed to extract, analyze, and then execute the zip files contents. What's interesting is that it does appear legit, a legitimate Node.js package. It's not unless you look really, really close at one of the JavaScript files. And this is highlighted in our advisory. In fact, I think we posted a GIF of this, and it's actually really interesting. I encourage you to look at it because you can pull open this malicious file in a text editor, and at a high level, you don't see anything wrong with it. It's not until you scroll way over to the right. There's a single, very long one-liner that contains the malicious code. Highly, highly obfuscated JavaScript. It was really good at getting around AV detections, had very few hits. And once that executes, it kicks off a few other stages of malware that embed itself into your system to allow the attacker for full command and control. Can we go through some of that sort of thing? Once they get hold here, what happens next? Sure. Basically, this highly obfuscated command is essentially it does a few things. The first thing it does is it executes a system curl command to download a Python file. It also downloads the entire Python library in a zip file format. And that gets all extracted into the user's local file, see users' username. The Python code that gets extracted and executed, it ends in an NPL file. However, that extension isn't correct. It's actually a Python file. And basically, that is a really, really complex piece of malware. It does a few interesting things. For one, it allows, like I mentioned, for full command and control. This establishes a connection back to the attacker's infrastructure and allows them to perform several tasks, one of which is run system commands. It allows for exfiltration. It allows for file and directory browsing. It also performs some interesting other side functions that include screencap and clipboard monitoring as well. As well as some automated theft, I believe browsers were heavily targeted, scraping out cookies, session data, that type of thing. So, yeah, in a nutshell, that's kind of the entire attack chain. And at that point, you know, whether the attackers find what they're looking for at that stage, they can pull the plug. But all this would be going on during the course of an interview. So, you know, kind of all this behind the scenes. So I'd imagine they'd probably have a team of people, some conducting the interview, some snooping around inside of the interviewee or victim's computer. We'll be right back. And now a word from our sponsor, No Before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. No Before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. No Before's Security Coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach, and we thank No Before for sponsoring our show. In the process of this, you're in the midst of the interview, they ask you to download this file. Nothing seems amiss. And even for someone who was, let's say, technically proficient, at first glance, there's nothing that would throw up a lot of red flags at looking at these files that they're asking you to use. Exactly. And you've put yourself in the interviewee's situation. You're stressed out, you're trying to impress your interviewers, because you want the job. You'll go along with whatever they ask. And so there's some inherent trust or lack of object, I guess you could say, at that point, because you're trying to essentially get a job, get work. And it's also not unusual to examine or execute code from a dev standpoint. So there's not really anything out of the ordinary that these attackers are asking this individual to do. And so it plays on a lot of human emotion and element at that point, because I try to put myself in my situation, into that situation, and ask myself, "Man, what I have executed this without properly vetting it?" Because it would be really, really easy to miss. I mean, you look at the contents of that original zip file, and it's just several directories of files, all these Node.js stuff. And I believe in Dev Popper that malicious code was stuffed inside some type of arbitrary server connection profile code. So it's possible that that file may have been completely missed, not even examined by the person executing it. I guess one of the things that struck me here as interesting, if not odd, is that these folks are targeting presumably information from a business computer. How many people are doing job interviews on the computer of their current employer? I guess enough. That's so true. I guess that's the hope. That would be the end goal. And you just think of the danger there. If they're able to get into those systems and they do have full command and control, at that point, they're able to, behind the scenes, elevate their privileges, possible move laterally, you got to ask yourself, "What does this user have access to?" And as a dev, they probably have access to a lot of other internal systems, all the internal resources, what sites are they logged into, since we know that they're targeting browsers and session data. At that point, the threat actors have active cookies and session tokens for currently logged in websites. And those could be internal GitHub projects. That could be very sensitive information from a company standpoint. So that risk would be considered very, very high from a business standpoint. And the tools here are cross-platform? Yes. No, that's correct. Yeah, we observed, if you take a look at the Python code, it breaks down. And the code basically pivots based on detected OS. And so we observed support for this malware on Windows, Mac OS, and Linux. I see. And you all have been tracking some updates and enhanced functionality of this tool along the way here. Are there any particular new elements that you want to mention? Yeah, so some of the code changes that we observed were networking session creation. So it doesn't matter how many times the code executes. The attackers are able to live in multiple sessions. And that could be a way to circumvent potential connection issues, or as a potential second backdoor. A file system interaction was a bit more robust. For instance, scraping for certain doc types and directories, say the attackers are interested in doc or doc X files, they're able to quickly scan and parse within a set of directories or subdirectories. So it allowed for a lot more efficiency. The code was a bit more cleaned up, I guess you could say. The keyboard and keystroke logging code was a bit more robust as well. And the general obfuscation, the code was a bit more hidden and a bit more difficult to analyze because of that. So there were some counter analysis techniques that we saw in the newer update and research update than we did previously. Yeah, that's interesting. And again, coming back to the whole social engineering aspect of it, I can imagine also, let's say you're a developer and you fall victim to this. Again, your job hunting on a work computer, you're not going to go running to your boss to say, hey, I made a mistake here, right? Or you could see that that process could be slowed down while someone tried to figure out how on earth they were going to handle this. Yeah, exactly. And I mean, it's possible that the attackers might potentially lengthen the review to distract the interviewee at that point, just to allow for more time into the system without raising suspicion. And you know, if the interview is, you know, say a standard interview link that about an hour, you know, the attackers have been poking around in that system for an hour, you know, deeply rooting themselves at that point and potentially lateral movement phases already started. Right. So what are your recommendations here for folks to best protect themselves? You know, along those lines, definitely do not conduct interviews on work machines for other companies. That should be number one. Number two, it's difficult. But, you know, I would suggest try to have a cyber security first mindset, right? Interviews are stressful. And I get that, you know, I've been in that place many times. I think we all have. But it's critical whether you're opening that email or you're conducting that interview. If anything seems off, you know, your interviewer seems really eager to get you to execute something from a strange GitHub repository that doesn't have a lot of history, you know, perhaps like these red flags should add up and, you know, question your interviewer. And you know, it's possible that this is, if this is a legit interview, you know, your interviewer might be impressed with your level of object, just not executing random code on your machine. But in the case of this, you know, if you want to be super safe, you know, use VMs, you know, there's nothing wrong with that, you know, build out a Windows sandbox or something to run code on. And then you don't have any risk of any personal or corporate information being stolen or retrieved in any way. Yeah. How do you rate the sophistication of this, of this effort here? It's incredibly sophisticated. I mean, when you think about the personnel involved, you need people who are confident and can conduct themselves as an interview and present themselves as a legitimate entity. And so not only that, but you know, the sophistication of the malware, the Python code was really interesting. The level of obfuscation, it didn't appear to be like ran through some type of online obfuscator. It was really well thought out and methodical. So I'd rate the sophistication very high. It definitely had backings of nation state, which, you know, when it comes from Korea, I think probably a good percentage of the threats coming from Korea would be nation state backed North Korea. Our thanks to Tim Peck from Securonics for joining us. The research is titled threat actors behind the dev hopper campaign have retooled and are continuing to target software developers via social engineering. We'll have a link in the show notes. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to meet identity continuity from strata? The game changing solution that keeps your business running smoothly, no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP automatically and without disruption. Powered by the Mavericks identity orchestration platform, identity continuity uses smart health checks to monitor your IDPs availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers. Just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages. With identity continuity from strata, downtime is a thing of the past. Learn more at strata.io. Keep your business moving even when the unexpected happens. That's strata.io. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes, where mixed by Elliot Pelsman and Trey Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kiltby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [Music] [BLANK_AUDIO]
