New North Korean campaign uses fake coding interviews to steal developer credentials

New North Korean campaign uses fake coding interviews to steal developer credentials
Elastic Security Labs uncovered REF9403, a new Contagious Interview campaign that hides malware in SVG files via steganography and uses fake job offers to target developers. The payloads align with OTTERCOOKIE and include browser and wallet theft, file theft, a Socket.IO-based RAT, and clipboard stealing, with infrastructure on rightwidth[.]dev and related subdomains. #REF9403 #ContagiousInterview #OTTERCOOKIE #rightwidthdev

Keypoints

  • Elastic Security Labs identified a previously undocumented Contagious Interview infection chain tracked as REF9403.
  • The campaign targeted developers through fake job postings and coding challenge repositories shared in Slack direct messages.
  • Malware payloads were hidden in SVG image files using steganography, with Base64 fragments spread across flag images.
  • The malicious code executed on server startup and delivered four stages: browser and crypto wallet stealing, file theft, a Socket.IO RAT, and clipboard stealing.
  • The malware showed strong overlap with OTTERCOOKIE in code, behavior, and infrastructure.
  • Stolen data was exfiltrated to rightwidth[.]dev infrastructure, including ldb.rightwidth[.]dev, upload.rightwidth[.]dev, controller.rightwidth[.]dev, and file.rightwidth[.]dev.
  • The operation used trojanized repositories that appeared functional, and some victims reportedly ran or published them unknowingly.

MITRE Techniques

  • [T1056.001 ] Keylogging / Clipboard Data Capture – The campaign included clipboard stealing to collect copied content from victim systems. [‘The clipboard functionality is only available on macOS and Windows. The malware polls every 500ms for new clipboard content, exfiltrating any changes’]
  • [T1105 ] Ingress Tool Transfer – The dropper downloaded second-stage binaries from an external host before renaming them and executing them. [‘downloads three second-stage binaries via curl from file.rightwidth[.]dev’]
  • [T1027 ] Obfuscated Files or Information – The malware used obfuscator.io and hidden Base64 fragments in SVG comments to conceal payloads and evade static detection. [‘hide chunks of the malware’, ‘This JavaScript malware is protected by obfuscator.io’]
  • [T1027.003 ] Steganography – Malware code was concealed inside legitimate-looking SVG image files. [‘using steganography in SVG image files to hide chunks of the malware’]
  • [T1036 ] Masquerading – The malware disguised itself as benign npm-related activity and legitimate project files to avoid suspicion. [‘sets its process title to npm-cache, masquerading as a benign npm caching process’]
  • [T1059.007 ] JavaScript – The malicious logic was implemented in JavaScript and executed on server startup. [‘server/index.js calls runServerValidation()’, ‘JavaScript file in the repo’]
  • [T1218.005 ] Scripting: Visual Basic / PowerShell – PowerShell was used on Windows to read clipboard contents. [‘powershell -NoProfile -NonInteractive Get-Clipboard’]
  • [T1053 ] Scheduled Task / Job – The malware ran persistently on startup by being invoked through npm scripts when the server launched. [‘both npm run dev and npm start launch server/index.js, so the payload executes on each server boot’]
  • [T1071.001 ] Web Protocols – The RAT used Socket.IO over HTTPS for command-and-control communication. [‘establishes a persistent Socket.IO command-and-control channel’]
  • [T1021.005 ] Remote Services: Socket Sessions – The operator executed shell commands over the Socket.IO channel for interactive access. [‘returns the output as a message event over the same Socket.IO connection’]
  • [T1082 ] System Information Discovery – The malware collected host details and checked system characteristics for VM detection and victim registration. [‘system host information’, ‘Retrieves system details using the WMIC command’]
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The malware checked for VMware, VirtualBox, QEMU, Parallels, and similar indicators before continuing. [‘vmware, virtualbox, qemu, microsoft corporation’, ‘If there is a match, the malware places a tag in the C2 response with (VM)’]
  • [T1113 ] Screen Capture / Clipboard Theft – The malware collected clipboard content as a form of user input theft. [‘exfiltrating any changes to the C2 server’]
  • [T1003 ] OS Credential Dumping – The browser credential and keychain theft targeted saved credentials and authentication material. [‘exfiltrates saved credentials’, ‘the system keychain database is also exfiltrated’]
  • [T1005 ] Data from Local System – The file stealer recursively collected documents, source code, configuration files, histories, and other local data. [‘searching for the following files whose names match a set of glob patterns’]
  • [T1033 ] System Owner/User Discovery – The malware used user and host context in registration and file-path targeting, including user directory lock files. [‘writing its own process ID to a lock file in the user’s directory’]

Indicators of Compromise

  • [SHA-256 ] Trojanized repository samples – 8e571d58794b9b44ae53c2c67bedef72c500e8adbb80aab7a5c263adcba55b1e, 3e6360f83a95540aa2176d279ca4694513afb1e5116a7ffe591c6b5bcf3b9c3c, and other 6 hashes
  • [Domain ] C2 and infrastructure – rightwidth[.]dev, ldb.rightwidth[.]dev, upload.rightwidth[.]dev, controller.rightwidth[.]dev, file.rightwidth[.]dev
  • [IPv4 ] OTTERCOOKIE C2 infrastructure – 195.26.248[.]212, 188.40.64[.]61
  • [File names ] Trojanized repositories and payloads – next-ecommerce-private-main.zip, shopping-platform-main.zip, hostService.txt, printSvc.txt
  • [API endpoints ] RAT and exfiltration paths – /api/service/makelog, /api/service/process/, /cldbs, /upload
  • [Process / command strings ] Execution and clipboard collection – server/index.js, npm-cache, wmic logicaldisk get name, powershell -NoProfile -NonInteractive Get-Clipboard
  • [Wallet extension IDs ] Targeted browser extensions – nkbihfbeogaeaoehlefnkodbefgpgknn, acmacodkjbdgmoleebolmdjonilkdbch, and other 23 items


Read more: https://www.elastic.co/security-labs/contagious-interview-malware-svg-steganography