An ongoing campaign of financial theft and cyber-espionage targeting developers in the Web3, cryptocurrency, and artificial intelligence sectors has been discovered by security researchers. Contagious Interview is an operation that compromises computers and then steals cryptocurrency funds by using sophisticated malware and social engineering. The attackers use technical tests or fictitious job interviews to target victims.

As part of an evaluation, victims are asked to run or review code. Malicious packages are concealed within the project files, and once they are run, they silently infect the system. North Korean threat actors, who have targeted crypto professionals on multiple occasions, are blamed by investigators for the activity. Getting private keys, wallet credentials, and other sensitive data that can be instantly turned into cash is their obvious goal.

Malware Infection in Multiple Stages Security researcher Seongsu Park claims that a malicious JavaScript file included in a trojanized development package is the first step in the infection process. The script verifies a successful compromise by sending a beacon to a command-and-control (C2) server after it has been run. After that, more parts are downloaded.

Multiple payloads are installed in the second stage. These consist of a Python-based backdoor named InvisibleFerret and two JavaScript tools. While one part builds a simple remote-access backdoor, another looks for important information on the system, including cryptocurrency wallets, password manager databases, and browser credentials. Pattern-based file discovery is how the malware finds files.

Filenames with keywords like "wallet," "seed," "private," "keys," "mnemonic," and "password" are searched for. The data is sent to the attacker's servers automatically.

The backdoor can carry out commands remotely and keeps an ongoing connection to the attackers. The criminals can use this access to steal files, download new scripts, and keep an eye on activity on Linux, macOS, and Windows systems. Diagram of infection (Source: medium) Theft of Fake MetaMask Wallets The attackers install a fake version of the MetaMask cryptocurrency wallet extension after taking over the system.

They replace the genuine browser extension rather than merely installing new malware. The malware looks for the MetaMask installation folder in the profiles of the Chrome and Brave browsers. In order to make the browser load the attacker's version, it then downloads a malicious extension and changes the browser's configuration files. By changing protection signatures and turning on developer mode, security checks are circumvented.

Since the altered wallet appears and works normally, it is challenging to identify the compromise. But when the wallet is opened, a hidden code records the encrypted vault data and the user's wallet unlock password. After being gathered, the credentials are transmitted to the servers of the attackers.

Later, without the victim's knowledge, the criminals can transfer cryptocurrency funds, extract seed phrases, and decrypt the vault offline. According to researchers, the attackers only added a few lines of malicious code to make sure the wallet functions exactly like the real one while surreptitiously stealing login credentials. Medium claims that the campaign exemplifies a developing pattern in which hackers directly compromise users instead of hacking blockchain networks. Developers are advised by experts to use hardware wallets whenever feasible, to confirm browser extensions, and to never run unknown code during interviews.