North Korean threat actors are abusing Visual Studio Code task configuration files for malware delivery in a new campaign targeting macOS software developers, Jamf warns.
The attacks, the security firm says, represent a fresh iteration of fake job offer campaigns attributed to North Korean hackers, including Operation Dream Job, Contagious Interview, ClickFake Interview, and DeceptiveDevelopment.
Instead of using a ClickFix-based technique for malware delivery, the new attacks trick victims into accessing or cloning repositories hosted on GitHub or GitLab, under the pretext of a job assignment.
The malicious projects, Jamf explains, contain VS Code task configuration files with heavily obfuscated malicious JavaScript code.
Once the repositories are opened in VS Code, the victim is prompted to trust the project’s author, which results in malicious commands being executed on the macOS system.
The executed shell command retrieves a JavaScript payload and pipes it into the Node.js runtime, which ensures that the execution continues after VS Code is closed.
According to Jamf, the JavaScript payload sets up persistence, collects basic system information, and establishes communication with the command-and-control (C&C) server.
It also includes several routines that implement core backdoor functionality, including remote code execution and system fingerprinting.
The main function of the backdoor is to dynamically execute JavaScript code supplied to it. The code can import additional Node.js modules to expand its functionality.
The backdoor harvests machine information such as operating system details, hostname, and MAC addresses, and attempts to identify the public-facing IP address.
It also implements a beaconing function that periodically sends host details to the C&C server and processes the responses.
Jamf also observed the backdoor fetching a JavaScript payload similar to itself, which could retrieve additional code (apparently generated with the assistance of AI) from the C&C and execute it in a child process.
“Developers should remain cautious when interacting with third-party repositories, especially those shared directly or originating from unfamiliar sources. Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents,” Jamf notes.
Related: FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes
Related: North Korea’s Digital Surge: $2B Stolen in Crypto as Amazon Blocks 1,800 Fake IT Workers
Related: React2Shell Attacks Linked to North Korean Hackers
Related: 5 Plead Guilty in US to Helping North Korean IT Workers
