VS Code exploited once again in new Contagious Interview campaign variant

North Korean hacking collective Lazarus Group has used illicit VS Code automation task configurations to launch font-spoofing JavaScript payloads and eventually deploy the InvisibleFerret backdoor as part of the new Fake Font operation, which is yet another variant of the Contagious Interview attack campaign, Cybernews reports.

Targeted software engineers have been sent by attackers purporting to be cryptocurrency or fintech recruiters with job assessments including links to GitHub repositories that masquerade as legitimate apps, findings from an OpenSourceMalware report showed. Executing the apps triggers a multi-stage attack that concludes with the delivery of the Python-based InvisibleFerret payload, which allows browser credential compromise, keystroke logging, and credential theft across over a dozen cryptocurrency wallet extensions.

Techniques leveraged in the Fake Font campaign were noted by researchers to be indicative of an escalation of North Korean threat actors' previous social engineering attacks, which involved the integration of infostealer malware in nefarious npm packages, as well as the use of illicit GitHub repositories.