Threat actors masquerade as interviewers and send a ZIP file (onlinestoreforhirog.zip) to candidates as part of a fake interview, which contains legitimate files and a malicious JavaScript file (printfulRoute.js) that is obfuscated to evade detection.
The obfuscated code uses techniques like base64 encoding, dynamic function names, and string concatenation to hide its functionality. After deobfuscation, the code reveals a C2 address (http://67.203.7[.]171:1244) and its capability to perform malicious tasks.
The main function dynamically adapts data extraction to the target operating system before orchestrating data transmission.
C2 communication modules construct HTTP POST requests to a specified server, incorporating system information, a unique host identifier, a timestamp, and extracted data, which is formatted as form data and includes details such as hostname, platform, and a specific identifier for the data type.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
An analyzed malware employs a function named “rt” to download next-stage payloads by constructing a URL and using curl to download a file to a temporary location.
The function retries downloading until a counter reaches a specific value or the downloaded file meets size requirements.
The downloaded file is then extracted, and a Python script named “.npl” is saved in the user’s home directory, which further downloads another Python script, “pay,” which contains heavily obfuscated code.
Deobfuscating reveals a feature-rich malware capable of gathering detailed system information, retrieving geographic location, communicating with a C&C server, executing commands, and monitoring user activity through keylogging and clipboard monitoring.
DEV#POPPER has evolved, incorporating RMM capabilities for persistent infection through Anydesk, bypassing AV detection.
Malware’s exfiltration capabilities have significantly expanded, enabling recursive file searching, filtering, and uploading via FTP, including binary transfer and data obfuscation, demonstrating increased automation and stealth for data theft.
The Python script employs advanced obfuscation techniques, including directory traversal functions with filtering mechanisms, to obscure its purpose and hinder analysis. Named ld, ld0, ld1, and ld2 complicate code comprehension and evade detection.
The script exhibits enhanced capabilities beyond the previous sample, such as targeted geolocation data collection and more focused system information gathering, indicating increased sophistication and potential malicious intent.
After compromising a host, attackers leveraged a Python backdoor to access browser cookies stored in Chrome extensions by downloading a known cookie (qiè qù) script (browser_cookie3) but had dependency issues.
Once resolved, the malware exfiltrated browser data and system information, sent heartbeats and downloaded further payloads from the C2 server (67.203.7.171:1244) for execution.
According to Securonix, a malicious Python script downloaded from a remote server is designed to steal sensitive information from various web browsers across different operating systems.
The malware employs obfuscation techniques and leverages class-based architecture to dynamically adapt to the target system’s operating system, executing specific code modules for macOS, for instance, to extract browser credentials from Chrome, Opera, and Brave.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access