Palo Alto Networks reported in November 2023 that the North Korean-linked Contagious Interview campaign is a financially motivated attack targeting a broad range of organizations and unlike typical nation-state attacks, it focuses on financial gain.
The campaign utilizes various techniques, including phishing and malware, to compromise systems and exfiltrate sensitive data. Japanese organizations should be vigilant for indicators of compromise associated with this threat actor.
OtterCookie malware is operating within the Contagious Interview campaign, distinct from previously observed threats like BeaverTail and InvisibleFerret.
It exhibits unique execution flow and behavior, including fileless execution, specific evasion techniques, or targeted data exfiltration methods.
Attackers exploit vulnerabilities in Node.js projects, npm packages, Qt, and Electron applications, often originating from code repositories like GitHub and Bitbucket, which leverage compromised software to spread laterally within a target network, compromising additional systems.
Several reports detail loaders that execute OtterCookie, which retrieve JSON data from external sources, extract the “cookie” property, and dynamically execute this property as JavaScript code within the target environment.
The attacker exploits a server-side vulnerability, likely a code injection flaw, which allows them to inject malicious JavaScript code into the server’s response and when the server attempts to process this invalid response, it results in a 500 Internal Server Error.
However, the server’s error handling mechanism within the catch block inadvertently executes the injected JavaScript code, granting the attacker remote code execution on the server.
The analysis by NTT presents findings on the OtterCookie observed in November 2024, acknowledging potential earlier usage dating back to September 2024.
While slight implementation variations exist between these periods, core functionality remains consistent, which focuses on the November implementation, highlighting key differences compared to the September version.
OtterCookie, a malware observed in November, utilizes Socket.IO for remote communication and possesses capabilities for executing shell commands and stealing device information via the socketServer and whour functions, respectively.
It revealed malicious activity involving the collection of cryptocurrency wallet keys from various file types (documents, images, cryptocurrency-related files) and the subsequent transmission of these keys to a remote server.
While reconnaissance activities, such as listing files (ls) and viewing their contents (cat), were also observed to assess the target environment.
It evolved from using regular expressions in September to detect Ethereum private keys to employing remote shell commands in November, significantly enhancing its capability to steal cryptocurrency wallet keys.
Through the incorporation of the ‘clipboardy’ library, the November OtterCookie delivers improved capabilities for data exfiltration, which enables the malware to discreetly extract and transmit sensitive information, such as login credentials or private messages, directly from the victim’s device clipboard to a designated remote server, a feature absent in the September version.
