Fraud Management & Cybercrime , Social Engineering

Pyongyang Hackers Deploy Backdoors Via Fake Job Interviews

North Korean Prediliction for Elaborate Social Engineering Attacks Strikes Again
Pyongyang Hackers Deploy Backdoors Via Fake Job Interviews
Likely North Korean hackers are goading software developers into downloading malware as part of a putative job opportunity. (Image: Shutterstock)

Likely North Korean threat actors are using fake job interviews to trick software developers into downloading disguised Python backdoors as part of an ongoing espionage campaign.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The attackers construct fake job interview scenarios designed to appear legitimate and enticing to developers seeking employment opportunities.

Once a victim has been lured in, the attackers instruct them to download seemingly harmless files from GitHub repositories, purportedly as part of the interview process, according to a report from Securonix, which is tracking the campaign as Dev#Popper.

Pyongyang hackers have a history of constructing elaborate social engineering ruses to infect computers that belong to security researchers and tech workers, including by masquerading as recruiters on LinkedIn and sending phishing emails purportedly containing job offers (see: North Korean Hackers Find Value in LinkedIn).

This suspected North Korean attack involves deployment of a deceptive Node Package Manager package that seems innocuous at first glance. On execution, it triggers the infiltration of the victim's system. Following the initial stage, hackers install a Python-based remote access Trojan.

The backdoor provides the attackers with unfettered access to sensitive information and system resources, posing a threat to individual developers and the organizations they work for.

What sets this campaign apart is its exploitation of the inherent trust developers place in the job application process. While the GitHub repositories associated with the attack may have been removed, the threat persists, researchers said.

Later-Stage Campaign Details

The Node Package Manager package provided by the attacker includes files that mimic legitimate development tools, such as

On executing the downloaded NPM package, the malicious JavaScript code within it is activated through the Node.js process. This code serves as a gateway for further infiltration, initiating the next stages of the attack.

The JavaScript code downloads and extracts an archive file, which contains a disguised Python backdoor in the form of a hidden .npl file. The file, labeled as a Python file, employs string manipulation and decoding techniques to hide its true nature.

The Python code within the backdoor establishes communication with a command-and-control server controlled by the attackers.

The Python backdoor executes additional malicious scripts, such as a file labeled pay within the .n2 directory. These scripts carry out various malicious activities, including data exfiltration, system reconnaissance, and remote command execution.

The attackers gain persistent access to compromised systems, allowing them to exfiltrate sensitive data, install additional malware or further exploit the compromised environment.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.