As if unreasonably lengthy coding tests weren’t enough, now developers should be on the lookout for malicious ones. Threat actors posing as job interviewers have recently started tricking job-hunting devs into downloading malware.
Security firm Securonix, which has dubbed the campaign “DEV#POPPER,” said the most likely perpetrators were hackers associated with the government of North Korea in a recent report. The modus operandi? Tricking software developers into attending fake job interviews, then downloading seemingly legitimate programs from repositories like GitHub as part of coding tests.
In reality, the software packages in question carry a malicious Node.js payload containing obfuscated Python script that functions as a remote access trojan (RAT). Once the RAT runs on a developer’s system, it collects basic information for transmission to a command and control server, and also gives the threat actor behind the campaign capabilities ranging from file system commands and data exfiltration to clipboard and keystroke logging.
While attacks on developers are common, Securonix VP of threat research and data/AI Oleg Kolesnikov told IT Brew, DEV#POPPER has several noteworthy elements in its attack chain.
“What’s most interesting to me is how, when compared to some of the traditional attacks, this type of attack creates a ‘gray area’ or ‘gray space’ for threat actors to hide and evade detection,” Kolesnikov told IT Brew via email.
Software development environments are often unstable and prone to unpredictable changes due to the continual introduction of new tools and software, Kolesnikov wrote, providing an ideal cover for attackers to hide in the noise.
“For instance, python spawning a cmd interpreter or node.exe downloading code may not be rare behavior in some development environments that can always be relied upon as a standalone indicator for detection,” he added.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Securonix researchers wrote in the report that such tactics are effective because they exploit “the developer’s professional engagement and trust in the job application process” and leverage the illusion that the target could lose out on a new job if they don’t download the software in question. However, they did not find evidence the technique was “extremely prevalent” at the moment.
Security firms have previously attributed some job scam attacks to actors affiliated with North Korea’s government. In 2023, Palo Alto Networks highlighted two campaigns the firm’s researchers said involved use of fake job interviews for data exfiltration and financial gain. The FBI has warned that some front groups linked to North Korea have gone one step further, attempting to land their members remote IT jobs at US companies.
Kolesnikov told IT Brew the method was “quite effective—mainly because it’s still fairly niche.” He added that developers should look out for red flags like lack of transparency about interview tasks and the specific code they’re requested to download, as well as authenticate job interviews through official employer channels.
As threat actors are likely to take steps to obfuscate such packages against standard antivirus software, and legitimate job interviewers sometimes test applicants’ security knowledge with similar tactics, Kolesnikov had one more piece of advice.
“Running the code in a separate isolated VM [virtual machine] with restricted access would be preferred,” he wrote.