North Korean threat actors are orchestrating a sophisticated malware campaign dubbed “Contagious Interview,” targeting IT professionals in the cryptocurrency, Web3, and artificial intelligence sectors. This operation deploys remote access backdoors and fake MetaMask wallet extensions with the express intent of stealing digital assets from unsuspecting victims. The attackers cunningly disguise their malicious code within seemingly legitimate job interview assessments, disguised as poisoned NPM packages that developers unwittingly execute during technical skills evaluations.
The malware campaign represents a significant evolution in financial cybercrime tactics, leveraging sophisticated techniques to penetrate secure development environments. The attackers are utilizing two primary malware families, BeaverTail and InvisibleFerret, which have undergone continuous updates to enhance their data theft capabilities. Recent variants demonstrate advanced methods for manipulating browser extensions and intercepting critical cryptocurrency credentials. The malware not only establishes persistent backdoor access but also actively searches for sensitive files, including wallet data, password manager databases, and development environment secrets across Windows, macOS, and Linux systems.
Contagious Interview: A Multi-Stage Cyberattack Targeting Developers
According to threat intelligence analysts, the latest attack chain reveals a streamlined infection process initiated by the threat actors. The initial JavaScript payload has been deliberately simplified to perform only essential functions, such as beacon transmission to command-and-control servers and the subsequent download of further attack stages. This tactical reduction in complexity helps minimize detection likelihood while effectively maintaining operational control for the attackers.
The attack unfolds through a series of carefully coordinated stages. Initially, victims are prompted to execute malicious JavaScript embedded within trojanized NPM packages, presented under the guise of technical interview assessments. Upon execution, this initial script communicates with command-and-control infrastructure to retrieve encoded server addresses and campaign identifiers. Subsequently, it downloads two specialized JavaScript files and the Python-based InvisibleFerret backdoor.
One of these JavaScript components functions as a lightweight backdoor, enabling remote command execution on the compromised system. The other JavaScript file systematically searches for and exfiltrates sensitive files. These targeted files are identified by keywords such as “wallet,” “metamask,” “private,” “mnemonic,” and “password,” indicating a clear objective to acquire cryptocurrency credentials and sensitive personal information.
Exploiting Trust: The MetaMask Compromise
Perhaps the most alarming aspect of the Contagious Interview campaign involves the surgical manipulation of legitimate MetaMask cryptocurrency wallet extensions. Via the lightweight backdoor, attackers deploy an additional script designed to scan Chrome and Brave browsers for installed MetaMask extensions. Once a target is identified, the malware proceeds to download a trojanized version of the extension from the command-and-control servers and executes complex modifications to the browser’s configuration files.
The attack ingeniously bypasses Chrome’s security mechanisms by generating valid HMAC-SHA256 signatures, which successfully circumvent tamper detection systems. The trojanized “fake MetaMask” extension contains minimally altered code, with approximately 15 malicious lines injected into the `submitPassword` function. When users attempt to unlock their wallets within this compromised extension, it captures master passwords and encrypted vault files, which contain crucial seed phrases and private keys.
This stolen data is then transmitted to attacker-controlled servers, providing the threat actors with complete access to the victims’ cryptocurrency holdings. The precision of this code injection is crucial to the campaign’s success, as it maintains full functional compatibility with the legitimate MetaMask extension, making detection exceptionally difficult for both users and security software.
Defender Strategies Against Sophisticated Malware
To mitigate the risks associated with such sophisticated malware campaigns, organizations are urged to implement robust security practices. Monitoring for suspicious NPM packages within development workflows and enforcing strict code review processes are essential preventative measures. Network administrators should actively block communication to identified command-and-control infrastructure associated with Contagious Interview and similar threats.
Users are advised to diligently verify the integrity of their MetaMask extensions by obtaining them exclusively through official browser stores. Regular monitoring of browser extension permissions can also help detect unauthorized access attempts. Security teams should prioritize implementing behavioral detection rules that target suspicious file exfiltration patterns and unauthorized modifications to browser configurations. Crucially, developers should exercise extreme caution and avoid executing untrusted NPM packages, particularly those received during recruitment processes, to prevent initial infection vectors.
The ongoing evolution of these cyber threats necessitates continuous vigilance. The effectiveness of this campaign highlights the increasing reliance of sophisticated threat actors on exploiting the trust inherent in software development supply chains. Future iterations of the Contagious Interview operation may involve further enhancements to evasion techniques and more sophisticated methods for pilfering sensitive data, underscoring the need for robust and adaptive cybersecurity strategies.