- The Lazarus Group used JSON storage services to host malware in the Contagious Interview campaign targeting developers
- Attackers lured victims via fake LinkedIn job offers and delivered BeaverTail, InvisibleFerret and TsunamiKit malware
- Malware exfiltrates data, steals crypto and mines Monero – while interfering with normal developer workflows
North Korean state-sponsored threat actors, part of the infamous Lazarus Group, have been seen hosting malware and other malicious code on JSON storage services.
Cyber security researchers NVISIO flagged that they had seen attackers using JSON Keeper, JSONsilo and npoint.io in an attempt to remain unseen and persistent in their attacks.
The attacks appear to be part of the Contagious Interview campaign. In it, the bad guys would first create fake LinkedIn profiles and reach out to software developers either with enticing job offers or to ask for help with a coding project. During the back and forth, the crooks would ask the victims to download a demo project from GitHub, GitLab, or Bitbucket.
Insertion of infostealers and backdoors
Now, NVISIO said that in one of the projects it found a Base64-encoded value that, while it looks like an API key, is actually a URL to a JSON storage service. In the warehouse, they found BeaverTail – an infostealer malware and loader that dropped a Python backdoor named InvisibleFerret, and TsunamiKit.
The latter is a multi-stage malware toolkit written in Python and .NET that can act either as an infostealer or as a cryptojacker that installs XMRig on the compromised device and forces it to mine the Monero currency. Some researchers also said they saw BeaverTrail deploying Tropidoor and AkdoorTea.
“It is clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in the leakage of sensitive data and cryptocurrency information,” the researchers warned.
“The use of legitimate sites such as JSON Keeper, JSON Silo, and npoint.io, along with code repositories such as GitLab and GitHub, underscores the actor’s motivation and persistent attempts to operate stealthily and mix with normal traffic.”
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
