Full Report
The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads. "The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure," NVISO researchers Bart Parys, Stef
Analysis Summary
# Threat Actor: Contagious Interview Actors (Attributed to North Korea)
## Attribution & Identity
**Attribution:** North Korean threat actors.
**Aliases/Associated Groups:** Operatives associated with the **Contagious Interview** campaign.
## Activity Summary
The actors are actively updating their tactics to remain stealthy and cast a "very wide net." Their recent activities focus on leveraging legitimate, trusted services for covert malware delivery. The method involves approaching targets via professional networking sites like LinkedIn, masquerading as recruiters or project collaborators. Victims are tricked into downloading trojanized code projects hosted on platforms like GitHub, GitLab, or Bitbucket.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Social engineering via LinkedIn under the pretext of job assessments or project collaboration.
- **Payload Staging:** Utilizing legitimate JSON storage services (JSON Keeper, JSONsilo, npoint.io) to host and deliver obfuscated, next-stage malware payloads.
- **Code Infection:** Embedding malicious indicators (masquerading as API keys) within configuration files (e.g., `server/config/.config.env`) in trojanized projects. These "API keys" are actually Base64-encoded URLs pointing to the JSON storage services.
- **Malware Execution Chain:**
1. Execution of the trojanized project reveals the URL to the JSON service.
2. Fetching **BeaverTail** (JavaScript malware) capable of sensitive data harvesting.
3. BeaverTail drops the **InvisibleFerret** Python backdoor (functionality largely unchanged since late 2023 documentation).
4. InvisibleFerret fetches an additional payload, **TsunamiKit**, from Pastebin.
5. TsunamiKit performs system fingerprinting and data collection, then attempts to fetch further payloads from a hard-coded .onion address (currently offline).
- **Observed Payloads/Malware:** BeaverTail, InvisibleFerret, TsunamiKit, Tropidoor, AkdoorTea (previously associated).
- **Evasion:** Blending in with normal traffic by using legitimate websites (JSON services, GitHub/GitLab).
*MITRE ATT&CK IDs are not provided in the source text.*
## Targeting
**Sectors:** Not explicitly detailed, but the focus on trojanized *code projects* and targeting *developers* suggests the **Software Development/Technology Sector** is a primary focus.
**Geography:** General targeting, aimed at any "developer that might seem interesting."
**Victims:** Software developers and associated organizations.
## Tools & Infrastructure
- **Malware Families Used:** BeaverTail, InvisibleFerret, TsunamiKit, Tropidoor, AkdoorTea.
- **Infrastructure (C2, domains, IPs):**
- **Malware Hosting:** JSON Keeper, JSONsilo, npoint.io (used as staging services).
- **Code Repositories:** GitHub, GitLab, Bitbucket (used for hosting trojanized projects).
- **Secondary Payload C2:** Pastebin (for TsunamiKit).
- **Tertiary C2:** Hard-coded .onion address (currently offline).
## Implications
The actors demonstrate proactive and continuous adaptation, integrating legitimate cloud services into their attack chain to bypass traditional perimeter defenses and utilize trusted domains for C2/staging. Their focus remains on espionage and data theft, specifically targeting sensitive data and crypto wallet information from software developers.
## Mitigations
- Exercise extreme caution when downloading and executing code samples or demo projects from external sources, even if initially engaged professionally (e.g., via LinkedIn).
- Review configuration files, environment variables, or source code within external projects for suspicious Base64-encoded strings that might resolve to URLs.
- Monitor outbound network traffic for connections to non-standard domains or services (like public JSON storage providers) originating from development environments or source code execution context.
- Implement robust endpoint detection and response capable of monitoring dynamic payload fetching behavior (e.g., JavaScript initiating network connections leading to backdoor deployment).