Prime Minister resignation speeches are so dull. I wouldn't be saying shite like "it's been the greatest honour of my life". I would be telling everyone to stick it up their hairy hoops before booting over the lectern and windmilling into the press.
I bet he doesn't do that. Bin
For anyone interested, I deobfuscated the payload being used by North Korean hackers in their "Contagious Interview" tactic.
Here's how the whole thing goes;
- They contact you with a fake western linkedin profile about a great new job
- They arrange a technical intro call with you with one of their engineers
- That engineer asks you to review their prototype and provide feedback as part of the interview process
- The prototype is malware, obvs.
These will get more advanced, they'll start using AI to cover up their accents, they'll gradually learn to hide the red flags I spotted which meant I knew this was coming.
On to the malware itself.. it's very simple.
- It's hooked into a "prepare" step in package.json, meaning it will trigger when you run npm install, so doesn't require you to actually run their software - only clone and npm install.
- It runs this code below as a background process - which is hidden in one of the files behind loads of spaces such that you won't see it in github UI.
Then;
- Fingerprints the host for uniqueness
- Sends your entire system environment, with a base64 hash of "now it is time to get everything" (lol)
- here's the nasty bit.. try { eval(message); } allows them to respond to any call with whatever arbitrary code they want..
Remember, since it's running as you - it has access to ~/.ssh, ~/.aws, .env.. Everything.
So basically as soon as you run npm install, they can start playing around with whatever commands they want to attempt, running from a background node.js process.