Home Security North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

by


Dec 27, 2024Ravie LakshmananCryptocurrency / Cyber Espionage

North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.

Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process.

This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.

Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It’s also referred to as Famous Chollima and Tenacious Pungsan.

In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack chain, highlighting the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ.

Cybersecurity

It’s worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process.

The latest findings from Japanese cybersecurity company NTT Security Holdings reveal that the JavaScript malware responsible for launching BeaverTail is also designed to fetch and execute OtterCookie. The new malware is said to have been introduced in September 2024, with a new version detected in the wild last month.

OtterCookie Malware

OtterCookie, upon running, establishes communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.

The older OtterCookie variant spotted in September is functionally similar, but incorporates a minor implementation difference wherein the cryptocurrency wallet key theft feature is directly built into the malware, as opposed to a remote shell command.

The development is a sign that the threat actors are actively updating their tools while leaving the infection chain largely untouched, a continued sign of the campaign’s effectiveness.

South Korea Sanctions 15 North Koreans for IT Worker Scam

It also comes as South Korea’s Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organization in connection with a fraudulent IT worker scheme orchestrated by its northern counterpart to illegally generate a steady source of income that can be funneled back to North Korea, steal data, and even demand ransoms in some cases.

There is evidence to suggest that the Famous Chollima threat cluster is behind the insider threat operation as well. It’s also called by various names, such as Nickel Tapestry, UNC5267, and Wagemole.

Cybersecurity

One of the 15 sanctioned individuals, Kim Ryu Song, was also indicted by the U.S. Department of Justice (DoJ) earlier this month for his alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.

Also sanctioned by MoFA is the Chosun Geumjeong Economic Information Technology Exchange Company, which has been accused of dispatching a large number of IT personnel to China, Russia, Southeast Asia, and Africa for procuring funds for the regime by securing freelance or full-time jobs in Western companies.

These IT workers are said to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers’ Party of Korea.

“The 313th General Bureau […] dispatches many North Korean IT personnel overseas and uses the foreign currency earned to secure funds for nuclear and missile development, and is also involved in the development of software for the military sector,” the ministry said.

“North Korea’s illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as funds for North Korea’s nuclear and missile development.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex