Updated Contagious Interview campaign harnesses illicit npm packages for RAT delivery

North Korean state-sponsored advanced persistent threat operation Famous Chollima has published 26 illicit npm packages impersonating developer tools to facilitate the delivery of a cross-platform information-stealing remote access trojan as part of the StegaBin attack campaign, yet another twist to the ongoing Contagious Interview campaign, according to The Hacker News.

Integrated within the packages was an automatically executing install script, which runs the malicious payload that communicates with a Pastebin URL, the contents of which are then leveraged to fetch command-and-control Vercel URLs, reports from Socket and kmsek.uk researchers revealed. Subsequent communications with the decoded domain are followed by the retrieval of Windows-, Linux-, and macOS-specific payloads. Researchers who analyzed the deployed information-stealing RAT found that it contained nine modules enabling keylogging, credential theft, browser and cryptocurrency exfiltration, TruffleHog secrets scanner downloads, and persistence.

"It is likely Famous Chollima will continue to leverage multiple techniques and infrastructure to deliver follow-on payloads. It is unlikely this signals a complete overhaul of their stager behaviour on npm," said kmsek.uk's Kieran Miyamoto.