In a sophisticated cyberattack, North Korean hacking groups have launched a campaign targeting professionals in the cryptocurrency, Web3, and artificial intelligence sectors. This operation, called Contagious Interview, involves deploying remote access backdoors and fake MetaMask wallet extensions to steal digital assets.
Attack Strategy and Techniques
The attackers cleverly embed malicious code within fake job interview assessments. These assessments use compromised NPM packages, which unsuspecting developers execute during technical evaluations. This method marks a significant advancement in financial cybercrime tactics, employing two main malware families known as BeaverTail and InvisibleFerret. These malware variants are continuously updated to enhance data theft capabilities.
Recent malware iterations show sophisticated methods for manipulating browser extensions and intercepting cryptocurrency credentials. They not only establish persistent backdoor access but also search for sensitive files such as wallet data and password managers across multiple operating systems, including Windows, macOS, and Linux.
Streamlined Infection Process
Threat Intelligence analyst Seongsu Park has detailed the streamlined infection chain used by these threat actors. The initial JavaScript payload is designed to perform essential functions like beacon transmission and downloading further attack stages. This streamlined approach reduces detection chances while maintaining effectiveness.
Victims are lured into running malicious JavaScript hidden in trojanized NPM packages during fake technical interviews. The initial script reaches out to command-and-control servers to retrieve encoded server addresses and campaign identifiers. This leads to the download of specialized JavaScript files and the Python-based InvisibleFerret backdoor.
Manipulating MetaMask Extensions
The attack’s most dangerous element involves manipulating legitimate MetaMask cryptocurrency wallet extensions. Through a lightweight backdoor, attackers scan Chrome and Brave browsers for installed MetaMask extensions. If found, they download a trojanized version from their servers and modify browser configuration files.
The malware uses complex techniques like generating valid HMAC-SHA256 signatures to bypass security mechanisms. The altered MetaMask extension includes only about 15 malicious lines within the submitPassword function. When users unlock their wallets, this extension captures master passwords and encrypted vault files, transmitting them to attacker servers, granting full access to victims’ cryptocurrency holdings.
To mitigate this threat, organizations should monitor for suspicious NPM packages and enforce strict code review processes. Network administrators are advised to block communication with known command-and-control infrastructures. Users should verify MetaMask extension integrity through official browser stores and regularly monitor extension permissions. Security teams should also implement behavioral detection rules to identify file exfiltration and unauthorized browser modifications. Developers are urged to avoid executing untrusted NPM packages, particularly those received during recruitment.
Stay informed and protected by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more updates.
