Threat Research

Update: DEV#POPPER Campaign Threat Actors Adapt Tactics to Target Software Developers Through Social Engineering

Securonix

Securonix Threat Research describes an ongoing DEV#POPPER campaign that targets software developers with new malware variants, expanding to Windows, Linux, and macOS while using advanced obfuscation to enable data exfiltration. The campaign adds enhanced FTP capabilities and Remote Monitoring and Management (RMM) tools, emphasizing social engineering via fake interviews to compromise victims. #DEVPOPPER #NorthKoreanThreatActors

Keypoints

  • The DEV#POPPER campaign continues to target developers with new malware variants.
  • Victims are located in South Korea, North America, Europe, and the Middle East.
  • Social engineering tactics are used to manipulate victims into executing malicious code.
  • The malware supports multiple operating systems: Windows, Linux, and macOS.
  • Obfuscation techniques include Base64 encoding and dynamic function names to evade detection.
  • Malware capabilities include data exfiltration, remote command execution, and system monitoring.
  • New features include enhanced FTP functionality and the use of Remote Monitoring and Management (RMM) tools.
  • Securonix recommends maintaining a security-focused mindset and using virtual environments for executing untrusted code.

MITRE Techniques

  • [T1560] Archive Collected Data – Used to collect and archive sensitive information from compromised systems. ‘Used to collect and archive sensitive information from compromised systems.’
  • [T1132] Data Encoding – Data is encoded to evade detection during transmission. ‘Data is encoded to evade detection during transmission.’
  • [T1027.010] Obfuscated Files or Information: Command Obfuscation – Malicious code is heavily obfuscated to hinder analysis. ‘Malicious code is heavily obfuscated to hinder analysis.’
  • [T1070.004] Indicator Removal: File Deletion – Malware may delete logs or indicators of compromise to avoid detection. ‘Malware may delete logs or indicators of compromise to avoid detection.’
  • [T1033] System Owner/User Discovery – Identifies the user and system information for targeted attacks. ‘Identifies the user and system information for targeted attacks.’
  • [T1082] System Information Discovery – Gathers detailed system information to tailor attacks. ‘Gathers detailed system information to tailor attacks.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Utilizes PowerShell for executing commands on the victim’s system. ‘Utilizes PowerShell for executing commands on the victim’s system.’
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Executes commands via the Windows Command Shell. ‘Executes commands via the Windows Command Shell.’
  • [T1059.006] Command and Scripting Interpreter: Python – Employs Python scripts to perform malicious activities. ‘Employs Python scripts to perform malicious activities.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates data to a command and control server. ‘Exfiltrates data to a command and control server.’

Indicators of Compromise

  • [IP Address] C2 endpoints – 67.203.7.171, 67.203.123.171
  • [Domain] C2 domain – de.ztec.store
  • [URL] C2/download endpoints – http://67.203.7.171:1244/pdown, http://67.203.123.171:1244/pdown, http://de.ztec.store:8000
  • [File Name] Malware payloads/components – onlinestoreforhirog.zip, printfulRoute.js, run.py, pay
  • [SHA256] File hashes – 6263b94884726751bf4de6f1a4dc309fb19f29b53cce0d5ec521a6c0f5119264, BC4A082E2B999D18EF2D7DE1948B2BFD9758072F5945E08798F47827686621F2, and 2 more hashes

Read more: https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint