Beware of False Job Offers: The Rise of Dev Popper Attacks

Cybersecurity experts are warning software developers about a new threat dubbed “Dev Popper.” This campaign exploits the guise of job interviews to distribute a Python-based remote access trojan (RAT). Targeted developers are manipulated into downloading and running malicious code, cleverly disguised as a typical coding task for job screening.

The Allure of Fake Interviews

The campaign begins with what appears to be a promising job opportunity. Developers are contacted by supposed employers who are eager to fill positions. As part of the interview process, candidates are instructed to download coding tasks from a GitHub repository. These tasks, however, are far from benign and carefully crafted to install malware under the radar.

The downloaded ZIP file contains an NPM package which includes a deceptive JavaScript file hidden within. This file, named “imageDetails.js,” runs commands to fetch further malicious payloads from an external source, gradually compromising the developer’s computer.

Unpacking the Malicious Software

The depth of this malware’s infiltration is alarming. Once activated, the RAT embedded in the Python script named “npl” begins relaying sensitive system information back to its control server. This information includes the operating system details, hostname, and network data.

Obfuscated Javascript code extracted from imageDetails.js (Source: Securonix)

According to Securonix, the capabilities of the RAT are extensive:

• It maintains persistent connections for continuous access.
• It can execute file system commands to locate and exfiltrate sensitive files.
• It allows remote command execution for further attacks.
• It supports direct data exfiltration from critical folders and logs keystrokes to potentially capture credentials.

A Persistent Threat Landscape

The use of job opportunities as a facade for these attacks highlights a persistent vulnerability within the tech community. This method is particularly insidious because it leverages the professional commitment and trust of developers. Turning down a task during an interview process might jeopardize their chances at landing the job, making the ruse highly effective.

Over the years, similar tactics have been used by cybercriminals, including North Korean groups, to target a wide range of professionals from security researchers to aerospace employees. The “fake job offer” has proven to be a successful vector for these phishing and malware campaigns.

Stay Vigilant: Tips for Developers

To defend against such sophisticated threats, developers and IT professionals are advised to:

• Verify the Employer’s Identity: Before engaging with any potential employer, conduct thorough background checks. Verify the company’s contact information by using official websites and LinkedIn profiles. If possible, reach out through official channels rather than responding directly to unsolicited recruitment emails.
  
• Use Secure Environments for Testing Code: When asked to run code as part of a job interview, consider using a virtual machine or a container. This isolates your main operating system from potential harm. Virtual machines can be reverted to a previous state easily, wiping out any malware that may have been inadvertently installed.
  
• Consult with Peers or Mentors: If you receive a job offer or an interview request that involves technical tasks, discuss it with experienced colleagues or mentors. They might provide insights on whether the tasks seem typical for a job interview.
  
• Be Wary of Download Requests: Be cautious if asked to download software or code from unofficial or suspicious sources. Legitimate employers typically use well-known, secure platforms for recruitment tests.
  
• Install Antivirus Software and Keep it Updated: Ensure that your system is protected with the latest antivirus software, which can help detect and quarantine malicious files before they cause damage.