Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

North Korea actors use OtterCookie malware in Contagious Interview campaign

North Korea-linked threat actors are using the OtterCookie backdoor to target software developers with fake job offers. North Korea-linked threat actors were spotted using new malware called OtterCookie as part of the Contagious Interview campaign that targets software developer community with fake job offers. The Contagious Interview campaign was first detailed by Palo Alto Networks […]

OtterCookies backdoor North Korea

North Korea-linked threat actors are using the OtterCookie backdoor to target software developers with fake job offers.

North Korea-linked threat actors were spotted using new malware called OtterCookie as part of the Contagious Interview campaign that targets software developer community with fake job offers.

The Contagious Interview campaign was first detailed by Palo Alto Networks researchers in November 2023, however it has been active since at least December 2022. The attacks appear to be financially motivated and are not targeted. Since November 2024, threat actors employed the malware OtterCookie, alongside BeaverTail and InvisibleFerret, in the campaign.

“Since around November 2024, SOC has observed the execution of malware other than BeaverTail and InvisibleFerret in the Contagious Interview campaign.” reads the report published by NTT. “We call the newly observed malware OtterCookie and have investigated it. In this article, we will introduce OtterCookie, its execution flow and detailed behavior.”

The attack chain starts with malicious Node.js projects or npm packages downloaded from GitHub or Bitbucket. Attackers recently also used applications created using Qt or Electron, suggesting that threat actors are actively experimenting.

OtterCookies backdoor North Korea

Loaders for OtterCookie download JSON data from a remote source and execute the cookie property as JavaScript code. Attackers may also directly download and execute JavaScript, with control passing to a catch block when an HTTP 500 status code occurs. The loader primarily executes BeaverTail but has occasionally been observed running OtterCookie or both simultaneously.

OtterCookie was first observed in November 2024, however, experts believe it may have been active since September 2024, with minor implementation differences. The November version communicates via Socket.IO and can execute remote commands through the socketServer function, including executing shell commands and stealing device information (whour). Threat actors used shell commands to search for cryptocurrency wallet keys in document, image, and cryptocurrency-related files, which were then sent to a remote source. Attackers used commands like ls and cat to examine the target environment.

“Contagious Interview is actively experimenting and continuing to update its attack methods, and attacks have also been observed in Japan, so caution is advised.” concludes the report, which includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, OtterCookie)