North Korean hackers are adapting their strategies, now utilizing JSON storage services for distributing malware. This shift comes from their ongoing campaign dubbed "Contagious Interview," where they target individuals on professional networking sites like LinkedIn.
Researchers from NVISO reported that these threat actors use JSON Keeper, JSONsilo, and npoint.io to host malicious payloads concealed within seemingly harmless code projects. The methodology involves contacting potential victims under the guise of job assessments or project collaborations, directing them to download demo projects hosted on platforms like GitHub and GitLab.
In one example examined by NVISO, a file named "server/config/.config.env" deceptively contains a Base64-encoded string representing what appears to be an API key. However, it actually leads to a JSON storage service where later payloads are stored in a disguised format.
The payload in question is a JavaScript malware known as BeaverTail, capable of collecting sensitive information and deploying a Python backdoor called InvisibleFerret. Although the functionality of the backdoor has largely remained consistent since its initial documentation, it has been modified to fetch an additional payload called TsunamiKit from Pastebin.
The TsunamiKit was previously identified as part of the same Contagious Interview campaign. This toolkit can perform system fingerprinting, gather data, and retrieve additional payloads from a specific .onion address that is currently offline.
The NVISO researchers highlight the sophistication of these attackers, emphasizing their intention to target any software developer who may appear vulnerable, leading to the extraction of sensitive data, including crypto wallet information. By leveraging legitimate sites such as JSON Keeper, alongside popular code repositories, these hackers are skillfully blending their operations with typical internet traffic to avoid detection.
This adjustment in tactics underscores the persistent nature of North Korean cyber threats and their ongoing efforts to infiltrate viable targets through innovative methods.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.