Thursday, January 30, 2025
HomeCyber AttackNew 'OtterCookie' Malware Attacking Software Developers Via Fake Job Offers

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Published on

SIEM as a Service

Follow Us on Google News

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack targeting various organizations, unlike typical nation-sponsored attacks. 

While primarily associated with BeaverTail and InvisibleFerret malware, SOCs have recently observed OtterCookie deployed within this campaign. 

OtterCookie exhibits distinct behavior from its predecessors, demonstrating the campaign’s evolution and expanding threat landscape, which highlights the importance of continuous monitoring and threat intelligence updates for organizations to effectively mitigate the risks posed by Contagious Interview.

Execution Flow

Contagious Interview attacks, which exploit vulnerabilities in software development processes, are increasingly originating from diverse sources. 

While Node.js projects and npm packages remain common attack vectors, attackers are now targeting applications built with Qt and Electron frameworks, which demonstrates active experimentation by attackers to identify and exploit new vulnerabilities in the software supply chain.

Previous research documented loaders that fetch JSON data, extract a “cookie” property, and execute it as JavaScript code, as a similar pattern where loaders download JavaScript code directly, triggering a 500 HTTP status code and executing the code within the resulting catch block. 

This loader primarily delivers BeaverTail malware, though OtterCookie infections have been noted and also encountered instances of simultaneous OtterCookie and BeaverTail executions.

JavaScript code

OtterCookie, a malware observed in November 2024, uses Socket.IO for remote communication and can execute shell commands (command) and steal device information (whour) upon receiving remote commands via the socketServer function. 

Analysis of the commands sent through the socketServer function revealed that OtterCookie collects cryptocurrency wallet keys from document, image, and cryptocurrency-related files and sends them to a remote server by using ls and cat commands for environment reconnaissance. 

shell commands

The OtterCookie version that was released in November has improved capabilities for stealing cryptocurrency keys in comparison to the version that was released in September. 

While both versions can steal keys, November leverages remote shell commands for this purpose, whereas September relies on regular expression-based checks within the `checkForSensitiveData` function. 

November introduces clipboard monitoring functionality using the `clipboardy` library to exfiltrate sensitive data from the victim’s device to a remote location, a feature absent in the September OtterCookie.

According to NTT, contagious Interview, a threat actor group, has deployed a new malware variant called OtterCookie, which targets and steals browser cookies, potentially compromising user accounts. 

The attack vector remains under investigation, but the threat actor is actively evolving its tactics, as researchers have observed attacks in Japan, indicating a broadening geographical scope. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol...

New SMS-Based Phishing Tool ‘DevilTraff’ Enables Mass Cyber Attacks

Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that...

DeepSeek Database Publicly Exposed Sensitive Information, Secret Keys & Logs

Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek,...

OPNsense 25.1 Released, What’s New!

The highly anticipated release of OPNsense 25.1 has officially arrived! Nicknamed "Ultimate Unicorn," this...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol...

New SMS-Based Phishing Tool ‘DevilTraff’ Enables Mass Cyber Attacks

Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that...

DeepSeek Database Publicly Exposed Sensitive Information, Secret Keys & Logs

Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek,...