GBHackers News reports that North Korean state-sponsored threat actors have been leveraging JSON storage services to distribute malware as part of the Contagious Interview campaign, which has been underway since 2023.Attacks involved the impersonation of medical directors and other hiring professionals on LinkedIn to spread a "demo project" from GitLab and other repositories, which lured targets into executing interview coding tasks via Node.js, findings from an NVISO Labs analysis revealed.Numerous API key-spoofing base64-encoded variables within the demo project's configuration files, which refer to JSON Keeper, JSON Silo, and other legitimate JSON storage services, facilitate the eventual deployment of the BeaverTail information-stealing malware that then spreads the InvisibleFerret RAT payload.InvisibleFerret features a multi-component framework, including the Tsunami payload for scheduled task creation, Tsunami Injector for persistence, and Tsunami Infector for covert Python installation. Such a threat should prompt more stringent review processes for recruitment activities and intensified monitoring of suspicious API requests to JSON storage services.
Threat Intelligence, Malware
Contagious Interview campaign exploits JSON storage for malware deployment

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



