Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets
Contents
Introduction
Contagious Interview is an ongoing cyber threat campaign targeting IT professionals working in cryptocurrency, Web3, and artificial intelligence sectors. The campaign, orchestrated by North Korean threat actors, aims to steal financial information and sensitive data from developers and engineers.
The attackers consistently deploy two primary malware families, BeaverTail and InvisibleFerret, regularly updating these tools with new capabilities. Recent analysis indicates that the threat actors have significantly expanded their data theft capabilities by incorporating manipulation of the MetaMask wallet extension, making the campaign more aggressive and effective in compromising victim systems.
Key Takeaways
The attackers simplified their first-stage JavaScript code to perform two core functions, confirming successful infection by sending a beacon to their servers, and downloading the next stage of the attack.
The fetched scripts are two additional JavaScript files and a Python-based malware called InvisibleFerret from the attackers’ remote server.
The downloaded JavaScript files serve distinct roles, one creates a backdoor for remote access …
Contagious Interview is an ongoing cyber threat campaign targeting IT professionals working in cryptocurrency, Web3, and artificial intelligence sectors. The campaign, orchestrated by North Korean threat actors, aims to steal financial information and sensitive data from developers and engineers.
The attackers consistently deploy two primary malware families, BeaverTail and InvisibleFerret, regularly updating these tools with new capabilities. Recent analysis indicates that the threat actors have significantly expanded their data theft capabilities by incorporating manipulation of the MetaMask wallet extension, making the campaign more aggressive and effective in compromising victim systems.
Key Takeaways
The attackers simplified their first-stage JavaScript code to perform two core functions, confirming successful infection by sending a beacon to their servers, and downloading the next stage of the attack.
The fetched scripts are two additional JavaScript files and a Python-based malware called InvisibleFerret from the attackers’ remote server.
The downloaded JavaScript files serve distinct roles, one creates a backdoor for remote access …