North Korean state-sponsored cyber actors are exploiting legitimate online services and professional networking sites in a sustained malware distribution campaign dubbed “Contagious Interview,” which has been active since 2023. These threat actors have specifically been leveraging JSON storage services like JSON Keeper and JSON Silo to host and distribute their malicious payloads, a tactic uncovered by GBHackers News and detailed in an analysis by NVISO Labs. This method allows the attackers to blend their command and control infrastructure with common, trusted web traffic, making detection more challenging.
The initial phase of the attack focuses on social engineering and establishing trust. Attackers typically impersonate medical directors and other hiring professionals on LinkedIn, targeting individuals with enticing job offers. Once a connection is made, they direct the victims to what is presented as a “demo project” hosted on repositories like GitLab. This project is framed as a mandatory coding task or exercise required for the interview process, persuading the targets to execute the code using Node.js on their local systems.
The malicious “demo project” is the mechanism used to fetch the malware. Its configuration files contain numerous base64-encoded variables that appear to be API keys. These variables are actually references to the aforementioned legitimate JSON storage services. When the project runs, these API-spoofing variables facilitate connections to the storage services, allowing the attackers to surreptitiously retrieve the next stage of the attack: the BeaverTail information-stealing malware.
Upon execution, the BeaverTail info-stealer is deployed. Its primary function is to harvest sensitive data from the infected machine. Following the initial reconnaissance and data theft, BeaverTail then installs the final, more potent payload: the InvisibleFerret RAT (Remote Access Trojan). InvisibleFerret is a complex, multi-component framework designed for long-term persistence and control over the compromised system.
InvisibleFerret’s framework includes several specialized modules, such as the Tsunami payload for creating scheduled tasks to ensure recurring execution, the Tsunami Injector for achieving persistence on the system, and the Tsunami Infector, which is designed to covertly install a Python environment necessary for the RAT’s operation. This sophisticated, multi-stage attack highlights the need for organizations to implement more stringent review processes for all recruitment-related activities and to intensify the monitoring of suspicious or unexpected API requests directed towards common JSON storage and cloud services.
Reference:
