Cybersecurity researchers have exposed a sophisticated threat campaign, dubbed “Contagious Interview,” where malicious actors are leveraging legitimate JSON storage services to host and distribute malware, specifically targeting software developers. This innovative technique allows threat actors to blend harmful code into seemingly innocuous development projects, making detection by traditional security measures increasingly challenging.
The Contagious Interview campaign, estimated to have been active since 2023, is attributed to actors associated with the Democratic People’s Republic of Korea (DPRK). The operation primarily targets developers working across Windows, Linux, and macOS environments, with a notable focus on individuals involved in cryptocurrency and Web3 projects. The ultimate objective of these attacks is financial gain through the theft of sensitive information and digital assets.
Contagious Interview: A Novel Attack Vector Through JSON Storage Services
The initial entry point for this threat campaign relies on meticulously crafted social engineering tactics. Threat actors pose as recruiters on professional networking platforms, such as LinkedIn, approaching potential victims with enticing job opportunities. These communications are often highly professional, with fake recruiters claiming to represent legitimate companies engaged in real estate or Web3 development.
Following an exchange of pleasantries and discussions about the role, the supposed recruiter will share a demo project, typically hosted on platforms like GitLab or GitHub, as part of an interview assessment. This method, identified by NVISO Labs security analysts, has proven effective in compelling developers to download and execute trojanized code.
The Attack Mechanism: Blending Malice with Legitimacy
The demo projects are designed to appear entirely legitimate. They feature detailed README files and professional layouts that convincingly mimic real estate platforms or cryptocurrency applications, creating a robust facade for the malicious intent. Once a developer downloads and executes these projects, often using Node.js, the infection chain is initiated.
The true ingenuity of the malware delivery lies within the project’s configuration files. These files contain base64-encoded variables that mask the URLs of JSON storage services. Upon decoding, these variables reveal links to platforms like JSON Keeper or similar services. These sites host heavily obfuscated JavaScript code, which is then automatically fetched and executed through legitimate Node.js operations. This stealthy approach makes it difficult for standard security tools to identify the malicious activity.
The obfuscated JavaScript ultimately fetches the BeaverTail infostealer. This malware is specialized in extracting wallet information, system data, and browser extension data pertinent to cryptocurrency assets. Following the execution of BeaverTail, the InvisibleFerret Remote Access Tool (RAT) is deployed in subsequent stages. This modular framework, written in Python, possesses a range of capabilities, including data exfiltration, system fingerprinting, and the ability to download additional payloads.
The attack chain continues through multiple stages, with threat actors strategically utilizing legitimate services such as Pastebin and Railway to host payloads. This reliance on well-established infrastructure further aids in evading detection. The sophisticated use of these legitimate services by threat actors is a distinguishing characteristic of this campaign, allowing their malicious traffic to appear normal and bypass conventional security defenses.
Implications and Protective Measures
The Contagious Interview campaign highlights a growing trend of threat actors exploiting trusted platforms and development workflows to deliver malware. The focus on software developers and their access to sensitive financial and system information makes this a particularly high-impact threat. The campaign’s multi-stage approach, combining social engineering with intricate code obfuscation and legitimate infrastructure abuse, presents a significant challenge for cybersecurity professionals.
Organizations are strongly advised to exercise extreme caution when accepting unsolicited code from recruiters or any unknown sources, especially within the development community. Thoroughly inspecting configuration files for suspicious API keys and diligently monitoring Node.js execution behaviors are crucial steps in identifying and preventing similar attacks before they can establish a foothold within internal networks. Continuous vigilance and adaptation of security strategies are essential to counter evolving threats that leverage legitimate services for malicious purposes.