Fake Job Interviews Target Developers With New Python Backdoor

NCSA_THAICERT

• A new campaign dubbed "Dev Popper" is targeting software developers through fake job interviews, aiming to trick them into installing a Python remote access trojan (RAT). The attackers pose as potential employers, offering developer positions. During the interview process, candidates are asked to perform tasks like downloading and running code from GitHub, which appears to be part of the interview process. However, this code contains malicious components.
  The attack involves a multi-stage process: candidates are asked to download an NPM package from GitHub, which contains an obfuscated JavaScript file ("imageDetails.js"). This file executes commands to download an additional archive from an external server, ultimately installing the RAT on the victim's system. Once installed, the RAT collects and sends basic system information to a command and control server.
  While Securonix analysts believe the campaign is likely orchestrated by North Korean threat actors based on observed tactics, attribution is uncertain. This tactic of using fake job offers to distribute malware is not new and remains effective due to exploiting the trust in the job application process. North Korean hackers have previously used similar tactics to compromise security researchers, media organizations, software developers (especially in DeFi platforms), and employees of aerospace companies.

ที่มาแหล่งข่าว
https://www.bleepingcomputer.com/news/security/fake-job-interviews-target-developers-with-new-python-backdoor/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand