- Lazarus Group used JSON storage services to host malware in the Contagious Interview campaign targeting developers
- Attackers lured victims via fake LinkedIn job offers, delivering BeaverTail, InvisibleFerret, and TsunamiKit malware
- Malware exfiltrates data, steals crypto, and mines Monero—while blending into normal dev workflows
North Korean state-sponsored threat actors, part of the infamous Lazarus Group, have been seen hosting malware and other malicious code on JSON storage services.
Cybersecurity researchers NVISIO flagged they had seen attackers using JSON Keeper, JSONsilo, and npoint.io in a bid to remain unseen and persistent in their attacks.
The attacks seem to be part of the Contagious Interview campaign. In it, the miscreants would first create fake LinkedIn profiles and reach out to software developers either with enticing job offers, or to ask for help on a coding project. During the back-and-forth, the crooks would ask the victims to download a demo project from GitHub, GitLab, or Bitbucket.
Deploying infostealers and backdoors
Now, NVISIO said that in one of the projects, it found a Base64-encoded value that, even though it looks like an API key, it’s actually a URL to a JSON storage service. In the storage, they found BeaverTail – an infostealer malware and a loader that dropped a Python backdoor named InvisibleFerret, and TsunamiKit.
The latter is a multi-stage malware toolkit written in Python and .NET, that can serve either as an infostealer, or as a cryptojacker that installs XMRig on the compromised device and forces it to mine the Monero currency. Some researchers also said they spotted BeaverTrail deploying Tropidoor and AkdoorTea.
“It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information,” the researchers warned.
“The use of legitimate websites such as JSON Keeper, JSON Silo, and npoint.io, along with code repositories such as GitLab and GitHub, underlines the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
