JSON services hijacked by North Korean hackers to send out malware

News
By published

Hacker are using JSON to hide their tracks

Digital crime by an anonymous hacker
(Image credit: Shutterstock)
  • Lazarus Group used JSON storage services to host malware in the Contagious Interview campaign targeting developers
  • Attackers lured victims via fake LinkedIn job offers, delivering BeaverTail, InvisibleFerret, and TsunamiKit malware
  • Malware exfiltrates data, steals crypto, and mines Monero—while blending into normal dev workflows

North Korean state-sponsored threat actors, part of the infamous Lazarus Group, have been seen hosting malware and other malicious code on JSON storage services.

Cybersecurity researchers NVISIO flagged they had seen attackers using JSON Keeper, JSONsilo, and npoint.io in a bid to remain unseen and persistent in their attacks.

The attacks seem to be part of the Contagious Interview campaign. In it, the miscreants would first create fake LinkedIn profiles and reach out to software developers either with enticing job offers, or to ask for help on a coding project. During the back-and-forth, the crooks would ask the victims to download a demo project from GitHub, GitLab, or Bitbucket.

Deploying infostealers and backdoors

Now, NVISIO said that in one of the projects, it found a Base64-encoded value that, even though it looks like an API key, it’s actually a URL to a JSON storage service. In the storage, they found BeaverTail - an infostealer malware and a loader that dropped a Python backdoor named InvisibleFerret, and TsunamiKit.

The latter is a multi-stage malware toolkit written in Python and .NET, that can serve either as an infostealer, or as a cryptojacker that installs XMRig on the compromised device and forces it to mine the Monero currency. Some researchers also said they spotted BeaverTrail deploying Tropidoor and AkdoorTea.

"It's clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information," the researchers warned.

"The use of legitimate websites such as JSON Keeper, JSON Silo, and npoint.io, along with code repositories such as GitLab and GitHub, underlines the actor's motivation and sustained attempts to operate stealthily and blend in with normal traffic."

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.