North Korean menace actors are utilizing new malware known as OtterCookie within the Contagious Interview marketing campaign that’s concentrating on software program builders.
Contagious Interview has been lively since not less than December 2022, based on researchers at cybersecurity firm Palo Alto Networks. The marketing campaign targets software program builders with faux job provides to ship malware resembling BeaverTail and InvisibleFerret.
A report from NTT Safety Japan notes that the Contagious Interview operation is now utilizing a brand new piece of malware known as OtterCookie, which was probably launched in September and with a brand new variant showing within the wild in November.
OtterCookie assault chain
Identical to within the assaults documented by Palo Alto Networks’ Unit42 researchers, OtterCookie is delivered by way of a loader that fetches JSON information and executes the ‘cookie’ property as JavaScript code.
NTT says that, despite the fact that BeaverTail stays the most typical payload, OtterCookie has been seen in some circumstances both deployed alongside BeaverTail or by itself.
The loader infects targets by Node.js tasks or npm packages downloaded from GitHub or Bitbucket. Nevertheless, information constructed as Qt or Electron purposes have been additionally used lately.
Supply: NTT Japan
As soon as lively on the goal system, OtterCookie establishes safe communications with its command and management (C2) infrastructure utilizing the Socket.IO WebSocket instrument, and awaits for instructions.
The researchers noticed shell instructions that carry out information theft (e.g. amassing cryptocurrency pockets keys, paperwork, pictures, and different priceless info).
“The September version of OtterCookie already included a built-in functionality to steal keys related to cryptocurrency wallets,” NTT explains.
“For example, the checkForSensitiveData function used regular expressions to check for Ethereum private keys,” the researchers notice, including that this was modified with the November variant of the malware the place that is achieved by distant shell instructions.
Supply: NTT Japan
The newest model of OtterCookie can even exfiltrate clipboard information to the menace actors, which can comprise delicate info.
Instructions usually used for reconnaissance, like ‘ls’ and ‘cat’, have been additionally detected, indicating the attacker’s intention to discover the setting and stage it for deeper infiltration or lateral motion.
The looks of recent malware and the diversification of the an infection strategies point out that the menace actors behind the Contagious Interview marketing campaign experiment with new techniques.
Software program builders ought to attempt to confirm details about a possible employer and be cautious of operating code on private or work computer systems as a part of a job supply that require coding assessments.
