- Lazarus group’s Contagious Interview campaign abuses Visual Studio Code via malicious Git repositories
- Attackers deliver JavaScript payloads on macOS, enabling persistent data collection and C2 communication
- Jamf urges enabling advanced threat controls and using caution with untrusted repositories
As part of the infamous Contagious Interview campaign, North Korean threat actors were seen abusing legitimate Microsoft Visual Studio code in their attacks.
Contagious Interview is a hacking campaign in which the Lazarus group (and other state-sponsored North Korean actors) create fake jobs and invite software and blockchain developers in Western countries for interviews.
During the interview process, they trick victims into deploying malware on their devices, giving attackers unlimited access to their computers, as well as their current employers’ networks.
How to stay safe
The campaign is also quite successful, with some of the biggest cryptocurrency thefts in recent years being attributed to it.
In a new report, Jamf security researchers detailed “an evolution in the techniques used during the early stages of the campaign.” They said the attackers would first create a malicious Git repository and host it on platforms like GitHub or GitLab.
After that, during the “interview” process, they tricked the victim into cloning and opening the repository using Microsoft Visual Studio Code. The tool will prompt the victim to trust the author of the repository and if that happens, the application automatically processes the task.json configuration file that triggers arbitrary built-in commands.
On macOS, these commands use a background shell to remotely retrieve a JavaScript payload (often from a platform like Vercel) and pipe it to the Node.js runtime.
The JavaScript payload is then executed, establishing a persistent loop that collects host information (hostname, MAC addresses, and operating system details) and communicates with a remote command and control (C2) server. Finally, the backdoor periodically pings the C2 server, sending system data and receiving more malicious JavaScript instructions.
“We strongly recommend that customers ensure that Threat Prevention and Advanced Threat Controls are enabled and set to blocking mode in Jamf for Mac to remain protected against the techniques described in this investigation,” Jamf warned.
“Developers should be cautious when interacting with third-party repositories, especially those shared directly or originating from unknown sources. Before marking a repository as trusted in Visual Studio Code, it is important to review its contents,” they added.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
