North Korean Hackers Exploit Code Abuse Tactics in ‘Contagious Interview’ Campaign
North Korean cyber operatives have initiated a sophisticated social engineering campaign, dubbed Contagious Interview, targeting software developers through deceptive recruitment strategies. This operation employs malicious code repositories masquerading as technical assessment projects to deploy a dual-layer malware system, aiming to exfiltrate sensitive data and establish persistent access on compromised systems.
Deceptive Recruitment Tactics
The attackers impersonate recruiters from reputable organizations, such as Meta2140, reaching out to developers via LinkedIn. They entice victims with lucrative job offers and direct them to download project repositories purportedly for technical evaluations. Unbeknownst to the developers, these repositories are laced with concealed malicious code designed to initiate a multi-stage infection process.
Sophisticated Infection Mechanisms
The malware employs multiple vectors to infiltrate systems:
1. VS Code Tasks Configuration: A hidden task within the Visual Studio Code environment automatically executes upon opening the project folder, requiring no direct code execution by the user.
2. Application Logic Hooks: Malicious functions embedded within the server code trigger the download and execution of additional payloads.
3. Malicious npm Dependencies: If the initial methods fail, the malware attempts to install harmful npm packages to achieve infection.
These techniques are meticulously crafted to ensure successful infiltration, even when developers exercise caution by avoiding direct code execution.
Discovery and Attribution
Security researchers at SEAL Intel uncovered the campaign after assisting multiple victims who reported significant financial losses. Analysis of commit histories and metadata revealed that the malware originated from known North Korean IT operatives previously associated with fraudulent projects like Ultra-X. Commit timestamps consistently aligned with Korean Standard Time, further corroborating the attribution.
Infection Process
The malware’s operation unfolds in distinct stages:
1. Node.js Controller Deployment: Upon activation, the malware downloads a Node.js controller that operates entirely in system memory, deploying five specialized modules:
– Keylogger and Screenshot Module: Monitors user activity and transmits data to the attacker’s command server.
– File Grabber: Scans directories for configuration files, secrets, and SSH keys.
– Clipboard Monitor: Watches for cryptocurrency addresses.
– Browser Stealer: Targets databases of browsers like Chrome, Brave, and Opera to extract login credentials and wallet information.
– Remote Access Tool: Establishes a connection to the attacker’s command center, enabling arbitrary shell command execution.
2. Python Payloads for Persistence: Subsequently, Python payloads are deployed to establish stronger persistence mechanisms. On Windows systems, the malware creates startup folder injections and scheduled tasks mimicking legitimate processes like RuntimeBroker.exe. Additionally, a miner module downloads XMRig cryptocurrency mining software. Throughout its execution, the malware creates hidden directories in .npm and system folders to stage stolen data and maintain a foothold across reboots.
Recommendations for Developers
To mitigate the risk of such infections, developers are advised to:
– Disable Automatic VS Code Task Execution: Prevent unintended execution of hidden tasks by disabling this feature.
– Enable Workspace Trust Verification: Ensure that only trusted workspaces are opened and executed.
– Monitor for Indicators of Compromise: Be vigilant for hidden directories such as .n2, .n3, or .npm, which may indicate infection.
– Rotate Credentials and Migrate Cryptocurrency Wallets: If infection is suspected, perform a full credential rotation and migrate cryptocurrency wallets to new addresses from clean devices.
– Reinstall Operating Systems if Necessary: For Windows systems showing signs of infection, a complete operating system reinstallation may be warranted due to registry-level persistence mechanisms.
Conclusion
The Contagious Interview campaign underscores the evolving tactics of North Korean cyber actors, who are increasingly leveraging social engineering and sophisticated code abuse techniques to target software developers. By masquerading as legitimate recruiters and embedding malicious code within seemingly innocuous project repositories, these operatives aim to infiltrate systems, exfiltrate sensitive data, and establish persistent access. Developers must remain vigilant, exercise caution when engaging with unsolicited recruitment offers, and implement robust security measures to protect against such insidious threats.
