Threat Intelligence, Malware

Contagious Interview campaign exploits JSON storage for malware deployment

North Korea digital technology flag cyber background. North Korean banner cyberattack and espionage concept illustration.

GBHackers News reports that North Korean state-sponsored threat actors have been leveraging JSON storage services to distribute malware as part of the Contagious Interview campaign, which has been underway since 2023.

Attacks involved the impersonation of medical directors and other hiring professionals on LinkedIn to spread a "demo project" from GitLab and other repositories, which lured targets into executing interview coding tasks via Node.js, findings from an NVISO Labs analysis revealed.

Numerous API key-spoofing base64-encoded variables within the demo project's configuration files, which refer to JSON Keeper, JSON Silo, and other legitimate JSON storage services, facilitate the eventual deployment of the BeaverTail information-stealing malware that then spreads the InvisibleFerret RAT payload.

InvisibleFerret features a multi-component framework, including the Tsunami payload for scheduled task creation, Tsunami Injector for persistence, and Tsunami Infector for covert Python installation. Such a threat should prompt more stringent review processes for recruitment activities and intensified monitoring of suspicious API requests to JSON storage services.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds