How Hackers Are Using JSON Storage Services to Steal Data
255A clever new tactic is making waves in the hacking world. The long-running Contagious Interview campaign is now hiding malware inside popular JSON storage services. These services, like JSON Keeper, JSONSilo, and npoint.io, are usually used by developers to store data. But now, bad actors are turning them into staging grounds for malicious payloads.
This campaign targets software developers across Windows, Linux, and macOS. Many of the targets are involved in crypto and Web3 projects. Hackers send fake messages from supposed recruiters or demo projects. These messages contain links to JSON files hosted on legitimate storage services. Once clicked, the JSON files load heavily obfuscated JavaScript code.
The Malicious Code and How It Works
The JavaScript code hosted on these JSON services is packed with obfuscation techniques. It uses methods like string concatenation, array manipulation, and packing to hide its true purpose. Once decoded, the script runs in a Node.js environment. It unpacks a tool called BeaverTail, which is an info-stealer. This malware gathers details about the system, browser wallets, documents, and more.
After BeaverTail collects data, it stages another malware called InvisibleFerret, a modular Remote Access Trojan (RAT). The whole process is designed to operate stealthily. Hackers embed layers of encoding, like XOR and base64, to evade detection. They also hide URLs and configurations inside seemingly innocent files, making it harder for defenders to spot malicious activity.
Why JSON Storage Services Are the New Attack Platform
Traditionally, hackers hosted malware on their own servers or compromised websites. But now, they’re exploiting legitimate services used by developers. Public repositories on GitLab and GitHub often contain configuration files referencing JSON storage URLs. These URLs point to servers hosting the obfuscated JavaScript.
This shift makes detection harder. Because the payloads are stored on trusted platforms, security tools might overlook them. The malware can sit dormant until triggered, then execute within the victim’s environment. Developers who work on crypto or Web3 projects are especially targeted because of the high value of their data.
What Developers and Security Teams Can Do
This campaign highlights the importance of good security hygiene. Developers should be cautious about opening files from unknown sources, especially in interviews or demo projects. Inspect configuration files for suspicious URLs or API keys pointing to JSON storage services.
Security teams should treat code provenance carefully. Running code in isolated environments or sandboxes is wise before executing any unknown scripts. Monitoring outbound traffic for connections to known malicious JSON URLs or command-and-control servers can help catch attacks early. Also, reviewing any external URLs or keys in configuration files can expose signs of tampering.
Researchers from NVISO Labs have identified several email addresses used to upload the malware, repositories hosting malicious code, and the command-and-control servers for BeaverTail and InvisibleFerret. They’ve also notified the affected JSON storage providers, who are working to remove the malicious content.
In summary, hackers are cleverly using legitimate developer tools and storage services to hide their malware. Staying vigilant, inspecting code carefully, and enforcing strict security practices are key to defending against this evolving threat.
What do you think?
It is nice to know your opinion. Leave a comment.