Thursday, January 23, 2025
HomeCyber AttackNew 'OtterCookie' Malware Attacking Software Developers Via Fake Job Offers

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Published on

SIEM as a Service

Follow Us on Google News

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack targeting various organizations, unlike typical nation-sponsored attacks. 

While primarily associated with BeaverTail and InvisibleFerret malware, SOCs have recently observed OtterCookie deployed within this campaign. 

OtterCookie exhibits distinct behavior from its predecessors, demonstrating the campaign’s evolution and expanding threat landscape, which highlights the importance of continuous monitoring and threat intelligence updates for organizations to effectively mitigate the risks posed by Contagious Interview.

Execution Flow

Contagious Interview attacks, which exploit vulnerabilities in software development processes, are increasingly originating from diverse sources. 

While Node.js projects and npm packages remain common attack vectors, attackers are now targeting applications built with Qt and Electron frameworks, which demonstrates active experimentation by attackers to identify and exploit new vulnerabilities in the software supply chain.

Previous research documented loaders that fetch JSON data, extract a “cookie” property, and execute it as JavaScript code, as a similar pattern where loaders download JavaScript code directly, triggering a 500 HTTP status code and executing the code within the resulting catch block. 

This loader primarily delivers BeaverTail malware, though OtterCookie infections have been noted and also encountered instances of simultaneous OtterCookie and BeaverTail executions.

JavaScript code

OtterCookie, a malware observed in November 2024, uses Socket.IO for remote communication and can execute shell commands (command) and steal device information (whour) upon receiving remote commands via the socketServer function. 

Analysis of the commands sent through the socketServer function revealed that OtterCookie collects cryptocurrency wallet keys from document, image, and cryptocurrency-related files and sends them to a remote server by using ls and cat commands for environment reconnaissance. 

shell commands

The OtterCookie version that was released in November has improved capabilities for stealing cryptocurrency keys in comparison to the version that was released in September. 

While both versions can steal keys, November leverages remote shell commands for this purpose, whereas September relies on regular expression-based checks within the `checkForSensitiveData` function. 

November introduces clipboard monitoring functionality using the `clipboardy` library to exfiltrate sensitive data from the victim’s device to a remote location, a feature absent in the September OtterCookie.

According to NTT, contagious Interview, a threat actor group, has deployed a new malware variant called OtterCookie, which targets and steals browser cookies, potentially compromising user accounts. 

The attack vector remains under investigation, but the threat actor is actively evolving its tactics, as researchers have observed attacks in Japan, indicating a broadening geographical scope. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...