VS Code Tasks Abuse by Contagious Interview (DPRK)
Contents
This report details the forensic analysis of a malicious repository (https://bitbucket[.]org/0xmvptechlab/ctrading
) associated with the DPRK "Contagious Interview" campaign. The malware targets developers by embedding VS Code tasks execution hook as well as regular npm
application executing malicious fetch.
The attack employs a "dual-stack" architecture:
- Node.js Layer: Executes immediately upon infection to steal credentials, log keys, and establish a covert RAT within the
.npm
directory. - Python Layer: Downloads a secondary infrastructure for long-term surveillance, cryptocurrency wallet theft, and cryptocurrency mining.
The infection vector typically involves a malicious repository distributed as a 'take-home' technical assessment via LinkedIn. In some cases it's a request for code review when target is a security researcher or company developer lured in with partnership proposal. Threat actors leverage compromised or fabricated profiles with high follower counts to impersonate recruiters and business developers from established organizations.
These campaigns are highly prevalent, and we attribute them to DPRK threat actors with high confidence. In …
) associated with the DPRK "Contagious Interview" campaign. The malware targets developers by embedding VS Code tasks execution hook as well as regular npm
application executing malicious fetch.
The attack employs a "dual-stack" architecture:
- Node.js Layer: Executes immediately upon infection to steal credentials, log keys, and establish a covert RAT within the
.npm
directory. - Python Layer: Downloads a secondary infrastructure for long-term surveillance, cryptocurrency wallet theft, and cryptocurrency mining.
The infection vector typically involves a malicious repository distributed as a 'take-home' technical assessment via LinkedIn. In some cases it's a request for code review when target is a security researcher or company developer lured in with partnership proposal. Threat actors leverage compromised or fabricated profiles with high follower counts to impersonate recruiters and business developers from established organizations.
These campaigns are highly prevalent, and we attribute them to DPRK threat actors with high confidence. In …
IoC
http://chainlink-api-v3.com/api/service/token/b2040f01294c183945fdbe487022cf8e
http://chainlink-api-v3.com/
https://github.com/pietroETH
https://bitbucket.org/0xmvptechlab/ctrading
https://socket.dev/npm/package/grayavatar/overview/1.0.2
146.70.253.107
172.86.116.178
b38de9527e8ead69a8ead5ce52a9202d2b58b5b7
b2040f01294c183945fdbe487022cf8e
http://chainlink-api-v3.com/
https://github.com/pietroETH
https://bitbucket.org/0xmvptechlab/ctrading
https://socket.dev/npm/package/grayavatar/overview/1.0.2
146.70.253.107
172.86.116.178
b38de9527e8ead69a8ead5ce52a9202d2b58b5b7
b2040f01294c183945fdbe487022cf8e