New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack targeting various organizations, unlike typical nation-sponsored attacks. 

While primarily associated with BeaverTail and InvisibleFerret malware, SOCs have recently observed OtterCookie deployed within this campaign. 

OtterCookie exhibits distinct behavior from its predecessors, demonstrating the campaign’s evolution and expanding threat landscape, which highlights the importance of continuous monitoring and threat intelligence updates for organizations to effectively mitigate the risks posed by Contagious Interview.

Contagious Interview attacks, which exploit vulnerabilities in software development processes, are increasingly originating from diverse sources. 

While Node.js projects and npm packages remain common attack vectors, attackers are now targeting applications built with Qt and Electron frameworks, which demonstrates active experimentation by attackers to identify and exploit new vulnerabilities in the software supply chain.

Previous research documented loaders that fetch JSON data, extract a “cookie” property, and execute it as JavaScript code, as a similar pattern where loaders download JavaScript code directly, triggering a 500 HTTP status code and executing the code within the resulting catch block. 

This loader primarily delivers BeaverTail malware, though OtterCookie infections have been noted and also encountered instances of simultaneous OtterCookie and BeaverTail executions.

OtterCookie, a malware observed in November 2024, uses Socket.IO for remote communication and can execute shell commands (command) and steal device information (whour) upon receiving remote commands via the socketServer function. 

Analysis of the commands sent through the socketServer function revealed that OtterCookie collects cryptocurrency wallet keys from document, image, and cryptocurrency-related files and sends them to a remote server by using ls and cat commands for environment reconnaissance. 

The OtterCookie version that was released in November has improved capabilities for stealing cryptocurrency keys in comparison to the version that was released in September. 

While both versions can steal keys, November leverages remote shell commands for this purpose, whereas September relies on regular expression-based checks within the `checkForSensitiveData` function. 

November introduces clipboard monitoring functionality using the `clipboardy` library to exfiltrate sensitive data from the victim’s device to a remote location, a feature absent in the September OtterCookie.

According to NTT, contagious Interview, a threat actor group, has deployed a new malware variant called OtterCookie, which targets and steals browser cookies, potentially compromising user accounts. 

The attack vector remains under investigation, but the threat actor is actively evolving its tactics, as researchers have observed attacks in Japan, indicating a broadening geographical scope.