Cybersecurity researchers have identified a sophisticated social engineering campaign targeting software developers, dubbed the Contagious Interview attack. Discovered by security firm Guardio Labs, this multi-stage attack leverages fake job interview processes to trick developers into executing malicious code on their systems.

The attackers employ what researchers describe as a ‘full stack’ approach, creating a convincing lure that includes fraudulent company websites, deceptive LinkedIn profiles, and direct outreach from impersonated recruiters. The goal is to establish trust with the developer before moving to the technical phase of the attack.

Anatomy of the Attack

The Contagious Interview attack unfolds in several distinct stages. It begins when a developer is contacted via email or a platform like LinkedIn by an individual posing as a recruiter for a well-known company. This initial message invites the developer to interview for a role and directs them to a malicious resource, such as a fraudulent website or a code repository.

During the fabricated interview process, the target is asked to perform a technical assessment. This task typically involves cloning a project from a public Git repository and running it locally. The repository contains malicious files, such as a compromised package.json script. When the developer executes a standard command like npm install to set up the project, a malicious script hidden within the package is executed, infecting their machine.

A Real-World Case and Malicious Payload

In one documented incident, an attacker impersonating a Coinbase recruiter contacted a developer from a lookalike domain, coinbase.com.kg. The developer was instructed to download a repository containing a file named PoC.zip. Following the instructions to unzip the file and run npm install triggered the malware payload.

The payload was identified as a variant of the BlackCap-Grabber, an information-stealing Trojan. This malware attempts to exfiltrate sensitive data from the victim’s machine, including information stored in web browsers, cryptocurrency wallets, and messaging applications like Discord and Telegram. The attack’s effectiveness relies on exploiting the common and trusted practices within the developer community.

Source: https://www.csoonline.com/article/4098699/contagious-interview-attackers-go-full-stack-to-fool-developers.html