North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie. The campaign employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process. This involves distributing malware-laced files either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.
Palo Alto Networks Unit 42, which first identified the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB highlighted the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ. The latest findings from Japanese cybersecurity company NTT Security Holdings indicate that the JavaScript malware responsible for launching BeaverTail is also designed to fetch and execute OtterCookie.
The new malware is said to have been introduced in September 2024, with a new version detected in the wild last month. OtterCookie, upon running, establishes communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands facilitating data theft, including files, clipboard content, and cryptocurrency wallet keys.
North Korean hackers’ OtterCookie deployment
The older OtterCookie variant spotted in September is functionally similar but incorporates a minor implementation difference wherein the cryptocurrency wallet key theft feature is directly built into the malware, as opposed to a remote shell command. The development indicates that the threat actors are actively updating their tools while leaving the infection chain largely untouched, a continued sign of the campaign’s effectiveness.
This news comes as South Korea’s Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organization in connection with a fraudulent IT worker scheme orchestrated by North Korea to illegally generate a steady source of income. These funds are funneled back to North Korea, often through data theft and other illicit means. One of the 15 sanctioned individuals, Kim Ryu Song, was also charged by the U.S. Department of Justice (DoJ) earlier this month for his alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.
Also sanctioned by MoFA is the Chosun Geumjeong Economic Information Technology Exchange Company, which has been accused of dispatching IT personnel to China, Russia, Southeast Asia, and Africa to secure freelance or full-time jobs in Western companies and procure funds for the regime. These IT workers are said to be part of the 313th General Bureau, an organization under the Workers’ Party of Korea. “The 313th General Bureau dispatches many North Korean IT personnel overseas and uses the foreign currency earned to secure funds for nuclear and missile development, and is also involved in the development of software for the military sector,” the ministry said.
“North Korea’s illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem but also pose a serious threat to international peace and security as they are used as funds for North Korea’s nuclear and missile development.”
