Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

SUMMARY :

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.

OPENCTI LABELS :

trojanized code,ottercookie,beavertail,web3,invisibleferret,infostealer,north korea,rat,social engineering,cryptocurrency,json storage,tsunami payload


AI COMMENTARY :

1. Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery offers a startling glimpse into a sophisticated campaign orchestrated by North Korean threat actors who have refined their tactics to exploit JSON storage services for hosting and delivering malicious payloads. This new approach departs from traditional command and control infrastructure by leveraging legitimate platforms, enabling the attackers to blend into normal developer operations and evade detection while targeting critical sectors such as cryptocurrency and Web3 projects.

2. The campaign zeroes in on software developers working across Windows, Linux, and macOS environments, with a specific focus on individuals involved in blockchain and Web3 initiatives. By identifying professional profiles on social media and job platforms, the adversaries craft fake recruiter personas that appeal directly to candidates’ career ambitions. The social engineering and trojanized code delivery method ensures a high success rate as victims trust the authenticity of a staged technical interview and willingly execute malicious scripts.

3. In the initial stage of the attack chain, targets are contacted under the guise of a legitimate job opportunity. During the second stage, the threat actors guide candidates to clone repositories or download snippets from services such as JSON Keeper, where trojanized code resides within JSON files. Once executed, the staged code fetches additional components from public code repositories, completing the third stage. Each phase relies on legitimate services to minimize red flags and maximize stealth, demonstrating a calculated exploitation of developer workflows.

4. The malware arsenal includes BeaverTail and OtterCookie infostealers designed for credential harvesting and exfiltration of sensitive data. The InvisibleFerret remote access trojan grants persistent backdoor access, while the Tsunami Payload introduces complexities by adding exceptions to Windows Defender definitions and creating scheduled tasks for lasting control. These components work in concert to compromise systems, gather valuable intelligence, and establish long-term footholds in targeted environments.

5. The innovative use of JSON storage is at the heart of the campaign’s success. JSON Keeper and similar services allow the actors to store configuration files and payload snippets in plain sight under innocuous filenames. This technique leverages developers’ familiarity with JSON formats, leading victims to trust the files as legitimate code samples or configuration templates. By capitalizing on this trust and the decentralized nature of public storage services, the attackers maintain flexible infrastructure without the usual operational risk of bespoke C2 domains.

6. To defend against this evolving threat, organizations should implement rigorous code review processes, enforce multi-factor authentication, and restrict downloads from unverified third-party storage services. Threat intelligence teams must monitor for indicators of trojanized code, unusual scheduled tasks or Defender exceptions, and maintain up-to-date detection rules for known payloads such as BeaverTail, OtterCookie, InvisibleFerret, and Tsunami Payload. By combining proactive threat hunting with developer education on social engineering and secure repository usage, defenders can mitigate the risk posed by these advanced social engineering and malware delivery techniques.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery