A sophisticated and highly targeted social engineering campaign, dubbed "Contagious Interview" by Microsoft Threat Intelligence, is actively compromising software developers. The attack chain begins with a highly convincing lure: a fake job interview invitation for a lucrative developer role, often impersonating legitimate, well-known companies. These invitations are typically delivered via professional networking platforms like LinkedIn or through direct emails that appear to originate from corporate recruiters. The threat actors invest significant effort in building fake profiles and crafting credible job descriptions to establish trust with their high-value targets—professionals with access to proprietary code and critical systems.
Once a target engages, the attackers move the conversation to a mainstream messaging application such as Skype or WhatsApp. Under the guise of a technical screening, the "interviewer" sends the candidate a coding challenge or a project specification document. This file, often a simple archive (like a .RAR file) named to match the fake job (e.g., "Test_Project.rar"), is the primary attack vector. When the victim extracts and opens the contained file—usually a shortcut (.LNK) file—it triggers a complex, multi-stage infection process. This process ultimately deploys a powerful backdoor, identified by Microsoft as **DARKME** malware, which grants the attackers persistent, remote access to the victim's machine.
The technical execution of the attack is notably evasive. The initial .LNK file uses living-off-the-land techniques, leveraging legitimate Windows tools like `mshta.exe` to execute malicious JavaScript code. This script fetches the next stage payload from an attacker-controlled server. The final payload, the DARKME backdoor, is a sophisticated piece of malware capable of file manipulation, data exfiltration, and executing arbitrary commands received from its command-and-control (C2) server. Its design allows it to blend in with normal system activity, making detection by traditional security software more challenging.
This campaign underscores a critical shift in cybercriminal tactics: the exploitation of professional ambition and the formal hiring process as a weapon. For developers and organizations, the implications are severe. A single compromised developer machine can serve as a beachhead for intellectual property theft, supply chain attacks, or further lateral movement into corporate networks. Defense requires heightened vigilance. Professionals should rigorously verify the identity of recruiters, be skeptical of interviews that skip standard HR channels, and never execute files from unverified sources. Organizations must reinforce security awareness training, specifically covering these novel social engineering vectors, and ensure robust endpoint detection and response (EDR) solutions are in place to catch such multi-stage intrusions.
