- Lazarus Group used JSON storage services to host malware as part of the Contagious Interview campaign targeting developers.
- The attackers lured their victims through fake job postings on LinkedIn, spreading BeaverTail, InvisibleFerret, and TsunamiKit malware.
- Malware exfiltrates data, steals cryptography, and mines Monero, all while integrating into normal development workflows.
North Korean state-sponsored threat actors, part of the infamous Lazarus Group, have been seen hosting malware and other malicious code on JSON storage services.
Cybersecurity researchers NVISIO have reported seeing attackers using JSON Keeper, JSONsilo, and npoint.io in an attempt to remain invisible and persistent in their attacks.
The attacks appear to be part of the Contagious Interview campaign. In it, the criminals first created fake LinkedIn profiles and contacted software developers either with tempting job offers or to ask for help on a coding project. During the back and forth, the scammers would ask victims to download a demo project from GitHub, GitLab, or Bitbucket.
Deploy infostealers and backdoors
NVISIO said that in one of the projects it found a Base64-encoded value that, although it looks like an API key, is actually a URL to a JSON storage service. In storage, they found BeaverTail – an information-stealing malware and loader that launched a Python backdoor named InvisibleFerret and TsunamiKit.
The latter is a multi-level malware toolkit written in Python and .NET, which can serve as either an information stealer or a cryptojacker that installs XMRig on the compromised device and forces it to mine the Monero currency. Some researchers also said they spotted BeaverTrail deploying Tropidoor and AkdoorTea.
“It is clear that the actors behind Contagious Interview are not left out and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, thus leading to the exfiltration of sensitive data and information on crypto wallets,” warn the researchers.
“The use of legitimate websites such as JSON Keeper, JSON Silo, and npoint.io, as well as code repositories such as GitLab and GitHub, underscores the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
