North Korean Contagious Interview actors now host malware on JSON storage sites to deliver trojanized code projects, NVISO reports.
North Korea-linked actors behind the Contagious Interview campaign have updated their tactics, using JSON storage services (e.g. JSON Keeper, JSONsilo, and npoint.io) to host and deliver malware through trojanized code projects, according to a new NVISO report.
“NVISO reports a new development in the Contagious Interview campaign. The threat actors have recently resorted to utilizing legitimate JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure being a use case or demo project as part of an interview process.” reads the report published NVISO.
The Contagious Interview campaign, active since November 2023 and linked to North Korea, targets software developers on Windows, Linux, and macOS. The attackers focus on developers working in crypto and Web3.
Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Their payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.
The campaign targets victims on LinkedIn by posing as recruiters or collaborators and sending them demo projects from GitHub-like platforms. Inside these projects, a hidden file contains a Base64 “API key” that actually points to a JSON storage service hosting the obfuscated next-stage malware payload.
NVISO researchers observed attackers using the a project that hides a Base64 “API key” that actually links to a JSON storage service hosting the next malware stage. The downloaded payload is BeaverTail, a JavaScript infostealer that can deploy the Python backdoor InvisibleFerret. While InvisibleFerret hasn’t changed much since 2023, it now also fetches an extra tool called TsunamiKit from Pastebin.
Below are a few examples of decoded Pastebin URLs:
| Pastebin URL | Profile | File |
| hxxps[://]pastebin[.]com/u/NotingRobe2871_FranzStill8494 | hxxps[://]pastebin[.]com/u/NotingRobe2871 | FranzStill8494 |
| hxxps[://]pastebin[.]com/u/ShadowGates1462_PastPhys9067 | hxxps[://]pastebin[.]com/u/ShadowGates1462 | PastPhys9067 |
| hxxps[://]pastebin[.]com/u/AmendMinds7934_LoverTumor2853 | hxxps[://]pastebin[.]com/u/AmendMinds7934 | LoverTumor2853 |
Earlier research showed that TsunamiKit is used alongside other malware to profile systems, steal data, and pull additional payloads from a Tor (.onion) server that is currently offline.
The attackers use JSON storage services to host their malware. By analyzing the indicators, researchers uncovered more malicious repositories, payloads, and related IPs, including payloads hosted on Railway. NVISO published all identified IOCs and notified the affected JSON storage providers.
The researchers recommend avoiding running code from unknown repos or from “recruiters” during early interviews. If you must, review config files carefully for signs of malware.
“It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information.” concludes the post. “The use of legitimate websites such as JSON Keeper, JSON Silo and npoint.io, along with code repositories such as Gitlab and GitHub, underlines the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Contagious Interview)
