Threat actors from North Korea have started a sophisticated attack campaign aimed at IT specialists working in the fields of artificial intelligence, Web3, and cryptocurrencies. Contagious Interview is an ongoing operation that uses trojanized MetaMask wallet extensions and remote access backdoors to steal digital assets from unwary victims. By using tainted NPM packages that developers unintentionally run during technical skills tests, the attackers conceal malicious code inside fictitious job interview tests.

The campaign marks a substantial advancement in the strategies used in financial cybercrime. BeaverTail and InvisibleFerret are the two main malware families used by attackers; these families have been updated frequently to include more potent data theft features. More recent versions show sophisticated methods for tampering with browser extensions and stealing cryptocurrency login credentials.

In addition to creating a persistent backdoor, the malware searches Windows, macOS, and Linux systems for private files such as password managers, wallet information, and development environment secrets. Seongsu Park, a Threat Intelligence analyst, discovered the most recent attack chain, demonstrating how threat actors have simplified their infection procedure. The original JavaScript payload has been purposefully made simpler to only carry out necessary tasks, such as downloading later attack stages and transmitting beacons.

While preserving operational efficacy, this tactical reduction lowers the possibility of detection. Diagram of infection (Source-Medium) There are several well-coordinated phases to the attack. During fictitious technical interviews, victims first run malicious JavaScript concealed within trojanized NPM packages. The first script retrieves campaign identifiers and encoded server addresses by contacting command-and-control infrastructure.

The Python-based InvisibleFerret backdoor and two specialized JavaScript files are then downloaded. While the other JavaScript component systematically looks for and exfiltrates sensitive files containing keywords like wallet, metamask, private, mnemonic, and password, the first component acts as a lightweight backdoor that permits remote command execution. Attack to Replace the MetaMask Extension Surgical manipulation of genuine MetaMask cryptocurrency wallet extensions is the most hazardous component.

An extra script that checks Chrome and Brave browsers for installed MetaMask extensions is used by attackers via the lightweight backdoor. Once identified, the malware modifies browser configuration files in intricate ways and downloads a trojanized version from command-and-control servers. By creating legitimate HMAC-SHA256 signatures that evade tamper detection systems, the attack subverts Chrome's security measures.

About 15 malicious lines have been inserted into the submitPassword function of the phony MetaMask extension, which has minimally altered code. The trojanized extension records encrypted vault files with seed phrases and private keys as well as master passwords when users unlock their wallets. The attacker servers receive this stolen data, giving them full access to the victims' cryptocurrency holdings.

Due to the surgical code injection's complete functional compatibility with authentic MetaMask, detection is very challenging. During development workflows, organizations should keep an eye out for suspicious NPM packages and enforce stringent code review procedures. Communication to designated command-and-control infrastructure should be blocked by network administrators. Users should use the official browser stores to confirm the integrity of the MetaMask extension.

Detecting compromise attempts can be aided by routinely checking the permissions of browser extensions.

Security teams should put behavioral detection rules into place that target unauthorized browser configuration changes and file exfiltration patterns. Untrusted NPM packages, particularly those obtained during hiring procedures, should not be executed by developers. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.