- Lazarus Group used JSON storage services to host malware in Contagious Interview campaign targeting developers
- The attackers lured victims through fake job postings on LinkedIn, delivering BeaverTail, InvisibleFerret, and TsunamiKit malware.
- The malware extracts data, steals cryptocurrency, and mines Monero, while integrating itself into normal development workflows.
North Korean state-sponsored threat actors, part of the infamous Lazarus Group, have been seen hosting malware and other malicious code on JSON storage services.
Cybersecurity researchers NVISIO noted that they had seen attackers using JSON Keeper, JSONsilo, and npoint.io in an attempt to remain invisible and persistent in their attacks.
The attacks appear to be part of the Contagious Interview campaign. In it, bad actors would first create fake profiles on LinkedIn and contact software developers with attractive job offers or to ask for help on a coding project. During the exchange, the criminals asked victims to download a demo project from GitHub, GitLab, or Bitbucket.
Implementation of information thieves and backdoors
Now, NVISIO said that in one of the projects, it found a Base64-encoded value that, although it looks like an API key, is actually a URL to a JSON storage service. In the storage, they found BeaverTail, an information-stealing malware, and a loader that placed a Python backdoor called InvisibleFerret and TsunamiKit.
The latter is a multi-stage malware toolkit written in Python and .NET, which can serve as an information stealer or a cryptojacker that installs XMRig on the compromised device and forces it to mine the Monero coin. Some researchers also said they saw BeaverTrail implementing Tropidoor and AkdoorTea.
“It is clear that the actors behind Contagious Interview are not far behind and are trying to cast a very wide net to compromise any (software) developers they may find interesting, resulting in the exfiltration of sensitive data and crypto wallet information,” the researchers warned.
“The use of legitimate websites such as JSON Keeper, JSON Silo and npoint.io, along with code repositories such as GitLab and GitHub, underscores the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
