The North Korean threat actors behind the Contagious Interview campaign have updated their methodology by using JSON storage services to stage and deliver malicious payloads.
NVISO researchers reported that the threat actors are leveraging services like JSON Keeper, JSONsilo, and npoint.io to host malware within trojanized code projects, which are distributed under the guise of job assessments or project collaboration.
Phishing and Malware Delivery
The campaign typically involves approaching targets, primarily software developers, on professional networking sites like LinkedIn. The victims are instructed to download a demo project from code repositories such as GitHub or GitLab.
In a project identified by NVISO, a configuration file contained a Base64-encoded value masquerading as an API key. In reality, this value was a URL pointing to a JSON storage service that held the next stage of the attack in an obfuscated format.
This secondary payload is the BeaverTail JavaScript malware, which is capable of harvesting sensitive data and dropping a Python backdoor called InvisibleFerret. While InvisibleFerret’s core function remains largely unchanged, its new iteration fetches an additional payload known as TsunamiKit from Pastebin. TsunamiKit is designed for system fingerprinting, data collection, and fetching further payloads.
The researchers concluded that the actors behind Contagious Interview are casting a wide net to compromise any interesting software developer, aiming to steal sensitive data and cryptocurrency wallet information. The use of legitimate services like JSON storage platforms and code repositories allows the actors to operate stealthily and blend in with normal network traffic.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
