North Korean threat actors have modified their ongoing "Contagious Interview" campaign by incorporating Git hooks as a new malware delivery method. The attackers continue to target software developers through fraudulent job interview processes, but have shifted their technical approach to exploit legitimate Git functionality for malicious purposes.

The attack follows a social engineering pattern where threat actors impersonate recruiters and invite developers to participate in technical assessments. Victims receive requests to clone GitHub repositories that supposedly contain coding challenges or interview materials. These repositories appear legitimate on the surface but contain hidden malicious components designed to execute automatically.

The technical mechanism relies on Git hooks, which are scripts that Git runs automatically before or after events such as commit, push, or merge operations. By placing malicious code in these hook files within the repository, attackers can achieve automatic execution when developers perform routine Git operations. This method is particularly effective because Git hooks execute with the same permissions as the user running Git commands, and many developers may not routinely inspect hook directories when cloning repositories.

This campaign poses significant risk to the software development community, as developers frequently clone repositories as part of their normal workflow. The use of Git hooks represents a sophisticated evolution in delivery techniques, as it exploits trusted development tools rather than relying on obvious executable files or browser-based exploits. The cross-platform nature of Git means this attack vector can potentially affect developers on Windows, macOS, and Linux systems.

Developers should adopt several defensive practices to protect against this threat. Before cloning any repository, especially those received through unsolicited job offers, verify the legitimacy of both the opportunity and the requesting party through independent channels. After cloning any repository, inspect the .git/hooks directory for unexpected scripts before running any Git commands. Organizations should implement security awareness training that specifically addresses fake recruitment schemes and consider using Git configuration options that prevent automatic hook execution from untrusted sources.

Source: https://gbhackers.com/git-hooks-abused/