OtterCookie, new malware used in Contagious Interview campaign

OtterCookie, new malware used in Contagious Interview campaign | セキュリティナレッジ | NTTã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ãƒ»ã‚¸ãƒ£ãƒ‘ãƒ³æ ªå¼ä¼šç¤¾ メニュー OtterCookie, new malware used in Contagious Interview campaign 2025.1.16 テクニカルブログ By Masaya Motoda, Rintaro Koike, Ryu Hiyoshi Published January 16, 2025 | Threat Intelligence his article is English version of “ Contagious Interviewが使用する新たなマルウェアOtterCookieについて ” translated by Ryu Hiyoshi, NTTSH SOC analyst. The original article was authored by our SOC analysts, Masaya Motoda and Rintaro Koike. Introduction It is said that Contagious Interview is an attack campaign related to North Korea and Palo Alto Networks published report on them in November 2023 [1]. Unlike common targeted attacks supported by a nation, Contagious Interview looks like to be motivated by money and its target is rather broader. Since our SOC occasionally observes security incidents by this campaign, Japanese organizations should pay close attention it. Since around November 2024, Our SOC observed the execution of unknown malware, neither BeaverTail nor InvisibleFerret, in Contagious Interview campaign. We named the newly observed malware OtterCookie and performed detailed research. In this article, we'll introduce its execution flow and detail behavior. Execution Flow Though Contagious Interview campaign employs various initial attack vectors, most of them start with Node.js projects or npm packages downloaded from GitHub or Bitbucket [2]. Recently, it is also reported that a file embedded in an application developed by Qt or Electron is also used as an initial attack vector. It suggests that the threat actors of Contagious Interview keep seeking new attack methods. Loader Some reports [3][4][5] introduce the loader that initiates OtterCookie. As introduced in these reports, it downloads JSON data from remote and executes its cookie property as JavaScript code. We also observed another loader that simply downloads and executes JavaScript code. In this case, the server returns HTTP status code 500 and JavaScript code executes the codes in "catch" block after transferring the control to the block. The loader launches BeaverTail in most cases, but it rarely launches OtterCookie. We also observed a case where it launches both OtterCookie and BeaverTail at the same time. OtterCookie It was November 2024 that we started observing OtterCookie, but it could have been used since September 2024. Though there are little differences in the implementations between September version and November version, the fundamental functions are the same. We'd like to introduce the remarkable differences based on the analysis result of November version. In November version, it uses Socket.IO to communicate with remote host and receive commands via socketServer function. We confirmed that is has functions to execute shell command ("command") or steal host information ("whour"). We closely observed the shell commands sent from a remote host, which were executed via "command". We confirmed that the shell commands collected and sent keys related to cryptocurrency wallet included in documents, pictures or cryptocurrency-related files. We also observed that it checked the environment via "ls" or "cat" command. In September version, a function to steal keys related cryptocurrency wallet is already implemented. For example, checkForSensitiveData function search Ethereum private keys using regular expression. In November version, it is realized by executing shell commands sent from a remote host. As shown below, in November version, it sends contents of local clipboard to a remote host using clipboardy library. But it isn't implemented in September version. Summary In this article, we introduced OtterCookie, a new malware used in Contagious Interview campaign. Since the threat actors of Contagious Interview keep seeking new attack methods actively and their attacks have already been observed in Japan, we should keep paying close attention on them. IoCs File Hashes (SHA256) d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106 7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e 4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79 32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236 IP Address and Domain Names 45[.]159.248.55 zkservice[.]cloud w3capi[.]marketing payloadrpc[.]com References [1] Palo Alto Networks, "Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors", https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/ [2] マクニカ, "北からのジョブオファー: ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢é–‹ç™ºè€ ã‚’ç‹™ã†Contagious Interview", https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html [3] Phylum, "North Korea Still Attacking Developers via npm", https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/ [4] Group-IB, "APT Lazarus: Eager Crypto Beavers, Video calls and Games", https://www.group-ib.com/blog/apt-lazarus-python-scripts/ [5] Zscaler, "From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West", https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west 記事をシェアする 関連記事 / おすすめ記事 TSG CTF 2025 pryspace Writeup 2026.4.8 テクニカルブログ WaterPlumが使用するマルウェアStoatWaffleについて 2026.3.17 テクニカルブログ StoatWaffle, malware used by WaterPlum 2026.3.17 テクニカルブログ Inquiry お問い合わせ お客様の業務課題に応じて、さまざまなソリューションの中から最適な組み合わせで、ご提案します。 お困りのことがございましたらお気軽にお問い合わせください。 お問い合わせはこちら サービスカタログダウンロード お問い合わせ